tar@3.1.3 vulnerabilities

tar for node

Direct Vulnerabilities

Known vulnerabilities in the tar package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Uncontrolled Resource Consumption ('Resource Exhaustion')

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the lack of folders count validation during the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running the software and even crash the client within few seconds of running it using a path with too many sub-folders inside.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade tar to version 6.2.1 or higher.

<6.2.1
  • H
Arbitrary File Write

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Write. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators. However, \ is a valid filename character on posix systems.

By first creating a directory, and then replacing that directory with a symlink, it is possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location. This can lead to extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created.

How to fix Arbitrary File Write?

Upgrade tar to version 6.1.7, 5.0.8, 4.4.16 or higher.

>=6.0.0 <6.1.7 >=5.0.0 <5.0.8 <4.4.16
  • H
Arbitrary File Write

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Write. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic is insufficient when extracting tar files that contain two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive can include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. This leads to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and extracting arbitrary files into that location.

How to fix Arbitrary File Write?

Upgrade tar to version 6.1.9, 5.0.10, 4.4.18 or higher.

>=6.0.0 <6.1.9 >=5.0.0 <5.0.10 <4.4.18
  • H
Arbitrary File Write

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Write. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory.

This logic is insufficient on Windows systems when extracting tar files that contain a path that is not an absolute path, but specify a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) resolves against the current working directory on the C: drive, rather than the extraction target directory.

Additionally, a .. portion of the path can occur immediately after the drive letter, such as C:../foo, and is not properly sanitized by the logic that checks for .. within the normalized and split portions of the path.

Note: This only affects users of node-tar on Windows systems.

How to fix Arbitrary File Write?

Upgrade tar to version 6.1.9, 5.0.10, 4.4.18 or higher.

>=6.0.0 <6.1.9 >=5.0.0 <5.0.10 <4.4.18
  • L
Regular Expression Denial of Service (ReDoS)

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). When stripping the trailing slash from files arguments, the f.replace(/\/+$/, '') performance of this function can exponentially degrade when f contains many / characters resulting in ReDoS.

This vulnerability is not likely to be exploitable as it requires that the untrusted input is being passed into the tar.extract() or tar.list() array of entries to parse/extract, which would be unusual.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade tar to version 6.1.4, 5.0.8, 4.4.16 or higher.

>=6.0.0 <6.1.4 >=5.0.0 <5.0.8 <4.4.16
  • H
Arbitrary File Overwrite

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. This is due to insufficient absolute path sanitization.

node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example, the path /home/user/.bashrc would turn into home/user/.bashrc.

This logic is insufficient when file paths contain repeated path roots such as ////home/user/.bashrc. node-tar only strips a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) still resolves to an absolute path.

How to fix Arbitrary File Overwrite?

Upgrade tar to version 3.2.2, 4.4.14, 5.0.6, 6.1.1 or higher.

<3.2.2 >=4.0.0 <4.4.14 >=5.0.0 <5.0.6 >=6.0.0 <6.1.1
  • H
Arbitrary File Overwrite

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. This is due to insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic is insufficient when extracting tar files that contain both a directory and a symlink with the same name as the directory. This order of operations results in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it is possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location.

How to fix Arbitrary File Overwrite?

Upgrade tar to version 3.2.3, 4.4.15, 5.0.7, 6.1.2 or higher.

<3.2.3 >=4.0.0 <4.4.15 >=5.0.0 <5.0.7 >=6.0.0 <6.1.2
  • H
Arbitrary File Overwrite

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.

How to fix Arbitrary File Overwrite?

Upgrade tar to version 2.2.2, 4.4.2 or higher.

<2.2.2 >=3.0.0 <4.4.2