CVE-2021-32610: PHP Archive Tar Path Traversal Vulnerability

CVE-2021-32610 Overview

CVE-2021-32610 is a symlink path traversal vulnerability in PHP's Archive_Tar library prior to version 1.4.14. The vulnerability allows malicious tar archives containing symbolic links to reference and potentially overwrite files outside of the intended extraction directory. This is a distinct vulnerability from CVE-2020-36193, though both involve improper handling of symlinks during archive extraction.

Critical Impact
Attackers can craft malicious tar archives with symlinks pointing to sensitive files outside the extraction path, potentially leading to arbitrary file overwrite, sensitive data exposure, or code execution if critical system files are modified.

Affected Products

PHP Archive_Tar (versions prior to 1.4.14)
Debian Linux 9.0
Fedora 33, 34, and 35

Discovery Timeline

2021-07-30 - CVE-2021-32610 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-32610

Vulnerability Analysis

The vulnerability exists in the Archive_Tar library's handling of symbolic links during tar archive extraction. When processing entries with typeflag == "2" (symbolic links), the library failed to properly validate that the symlink target remained within the intended extraction directory boundaries. An attacker could craft a tar archive containing a symlink that points to a location outside the extraction path, such as ../../../etc/passwd or absolute paths like /etc/shadow.

The root cause stems from insufficient path canonicalization and validation when resolving symbolic link destinations. The original implementation attempted to track directory depth but did not properly account for all traversal scenarios, including absolute paths and Windows-style paths containing colons.

Root Cause

The vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access). The Archive/Tar.php file did not adequately verify that symbolic link targets remained within the extraction directory after path resolution. The flawed logic allowed specially crafted archives to escape directory boundaries through path traversal sequences.

Attack Vector

This is a local attack vector vulnerability requiring the victim to process a malicious tar archive. Attack scenarios include:

A malicious archive uploaded to a web application that processes tar files (e.g., Drupal modules, CMS themes)
Automated backup restoration processes that extract untrusted archives
Package installation workflows that handle tar-based packages

The attacker requires local access or the ability to supply a malicious archive to a vulnerable application. No user interaction is required beyond the system processing the malicious file.

The security patch implements proper symlink validation by:

php

                            } elseif ($v_header['typeflag'] == "2") {
+                        if (!$p_symlinks) {
+                            $this->_warning('Symbolic links are not allowed. '
+                                . 'Unable to extract {'
+                                . $v_header['filename'] . '}'
+                            );
+                            return false;
+                        }
+                        $absolute_link = FALSE;
                         $link_depth = 0;
-                        foreach (explode("/", $v_header['filename']) as $dir) {
-                            if ($dir === "..") {
-                                $link_depth--;
-                            } elseif ($dir !== "" && $dir !== "." ) {
-                                $link_depth++;
-                            }
+                        if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
+                          $absolute_link = TRUE;
                         }
-                        foreach (explode("/", $v_header['link']) as $dir){
-                            if ($link_depth <= 0) {
-                                break;
+                        else {
+                            $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
+                            $s_linkname = str_replace('\\', '/', $v_header['link']);
+                            foreach (explode("/", $s_filename) as $dir) {
+                                if ($dir === "..") {
+                                    $link_depth--;

Source: GitHub Security Commit

Detection Methods for CVE-2021-32610

Indicators of Compromise

Tar archives containing symbolic links with ../ path traversal sequences
Symlinks pointing to absolute paths (starting with / or containing :)
Unexpected file modifications outside intended extraction directories
Web application logs showing extraction of archives with suspicious symlink entries

Detection Strategies

Monitor file system operations for symlink creation pointing outside application directories
Implement static analysis scanning for Archive_Tar versions prior to 1.4.14
Use software composition analysis (SCA) tools to identify vulnerable dependencies in PHP applications
Audit Drupal, PEAR-based applications, and other PHP projects for outdated Archive_Tar library usage

Monitoring Recommendations

Enable file integrity monitoring on critical system files and directories
Log and alert on tar extraction operations in production environments
Monitor for unexpected file permission changes following archive extraction
Implement application-level logging for archive processing operations

How to Mitigate CVE-2021-32610

Immediate Actions Required

Upgrade PHP Archive_Tar to version 1.4.14 or later immediately
Review and audit any archives processed by vulnerable systems
Check for unauthorized file modifications in sensitive directories
For Drupal installations, apply security update SA-CORE-2021-004

Patch Information

The vulnerability is fixed in Archive_Tar version 1.4.14. The patch adds proper validation for symbolic links, including:

Option to disable symlink extraction entirely via the $p_symlinks parameter
Detection and rejection of absolute symlink paths (paths starting with / or containing :)
Improved directory depth tracking to prevent traversal via relative paths
Proper handling of Windows-style path separators

Patches are available via:

GitHub Release 1.4.14
Debian LTS Security Notice
Fedora package updates for versions 33, 34, and 35

Workarounds

Disable symlink extraction if functionality is not required
Implement a validation layer that scans tar archives for symlinks before extraction
Run archive extraction in sandboxed environments with restricted file system access
Use chroot jails or containerization to limit the impact of symlink traversal attacks

bash

# Check Archive_Tar version in your PHP environment
composer show pear/archive_tar

# Update Archive_Tar to patched version
composer require pear/archive_tar:^1.4.14

# For Drupal installations, update core
composer update drupal/core --with-dependencies

CVE-2021-32610 Overview

Critical Impact
Attackers can craft malicious tar archives with symlinks pointing to sensitive files outside the extraction path, potentially leading to arbitrary file overwrite, sensitive data exposure, or code execution if critical system files are modified.

Affected Products

PHP Archive_Tar (versions prior to 1.4.14)
Debian Linux 9.0
Fedora 33, 34, and 35

Discovery Timeline

2021-07-30 - CVE-2021-32610 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-32610

Vulnerability Analysis

Root Cause

Attack Vector

This is a local attack vector vulnerability requiring the victim to process a malicious tar archive. Attack scenarios include:

A malicious archive uploaded to a web application that processes tar files (e.g., Drupal modules, CMS themes)
Automated backup restoration processes that extract untrusted archives
Package installation workflows that handle tar-based packages

The attacker requires local access or the ability to supply a malicious archive to a vulnerable application. No user interaction is required beyond the system processing the malicious file.

The security patch implements proper symlink validation by:

php

                            } elseif ($v_header['typeflag'] == "2") {
+                        if (!$p_symlinks) {
+                            $this->_warning('Symbolic links are not allowed. '
+                                . 'Unable to extract {'
+                                . $v_header['filename'] . '}'
+                            );
+                            return false;
+                        }
+                        $absolute_link = FALSE;
                         $link_depth = 0;
-                        foreach (explode("/", $v_header['filename']) as $dir) {
-                            if ($dir === "..") {
-                                $link_depth--;
-                            } elseif ($dir !== "" && $dir !== "." ) {
-                                $link_depth++;
-                            }
+                        if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
+                          $absolute_link = TRUE;
                         }
-                        foreach (explode("/", $v_header['link']) as $dir){
-                            if ($link_depth <= 0) {
-                                break;
+                        else {
+                            $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
+                            $s_linkname = str_replace('\\', '/', $v_header['link']);
+                            foreach (explode("/", $s_filename) as $dir) {
+                                if ($dir === "..") {
+                                    $link_depth--;

Source: GitHub Security Commit

Detection Methods for CVE-2021-32610

Indicators of Compromise

Tar archives containing symbolic links with ../ path traversal sequences
Symlinks pointing to absolute paths (starting with / or containing :)
Unexpected file modifications outside intended extraction directories
Web application logs showing extraction of archives with suspicious symlink entries

Detection Strategies

Monitor file system operations for symlink creation pointing outside application directories
Implement static analysis scanning for Archive_Tar versions prior to 1.4.14
Use software composition analysis (SCA) tools to identify vulnerable dependencies in PHP applications
Audit Drupal, PEAR-based applications, and other PHP projects for outdated Archive_Tar library usage

Monitoring Recommendations

Enable file integrity monitoring on critical system files and directories
Log and alert on tar extraction operations in production environments
Monitor for unexpected file permission changes following archive extraction
Implement application-level logging for archive processing operations

How to Mitigate CVE-2021-32610

Immediate Actions Required

Upgrade PHP Archive_Tar to version 1.4.14 or later immediately
Review and audit any archives processed by vulnerable systems
Check for unauthorized file modifications in sensitive directories
For Drupal installations, apply security update SA-CORE-2021-004

Patch Information

The vulnerability is fixed in Archive_Tar version 1.4.14. The patch adds proper validation for symbolic links, including:

Option to disable symlink extraction entirely via the $p_symlinks parameter
Detection and rejection of absolute symlink paths (paths starting with / or containing :)
Improved directory depth tracking to prevent traversal via relative paths
Proper handling of Windows-style path separators

Patches are available via:

GitHub Release 1.4.14
Debian LTS Security Notice
Fedora package updates for versions 33, 34, and 35

Workarounds

Disable symlink extraction if functionality is not required
Implement a validation layer that scans tar archives for symlinks before extraction
Run archive extraction in sandboxed environments with restricted file system access
Use chroot jails or containerization to limit the impact of symlink traversal attacks

bash

# Check Archive_Tar version in your PHP environment
composer show pear/archive_tar

# Update Archive_Tar to patched version
composer require pear/archive_tar:^1.4.14

# For Drupal installations, update core
composer update drupal/core --with-dependencies

CVE-2021-32610: PHP Archive Tar Path Traversal Vulnerability

CVE-2021-32610 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-32610

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-32610

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-32610

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-32610: PHP Archive Tar Path Traversal Vulnerability

CVE-2021-32610 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-32610

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-32610

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-32610

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform