CVE-2021-37701 Overview
CVE-2021-37701 is a critical symlink attack vulnerability in the npm package "tar" (also known as node-tar) that enables arbitrary file creation/overwrite and arbitrary code execution. The vulnerability stems from insufficient validation logic when extracting tar archives containing directories and symlinks with matching names using backslash path separators on POSIX systems. This flaw allows attackers to bypass node-tar's symlink protection mechanisms, potentially enabling malicious tar files to write arbitrary content to sensitive locations on the filesystem.
Critical Impact
Successful exploitation allows attackers to escape intended extraction directories via symlink manipulation, leading to arbitrary file creation, file overwrite, and potential remote code execution in Node.js applications processing untrusted tar archives.
Affected Products
- npmjs tar (versions before 4.4.16, 5.0.8, and 6.1.7)
- Debian Linux 10.0 and 11.0
- Oracle GraalVM Enterprise Edition 20.3.3 and 21.2.0
- Siemens SINEC Infrastructure Network Services
Discovery Timeline
- 2021-08-31 - CVE-2021-37701 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-37701
Vulnerability Analysis
This vulnerability exists due to a path separator handling discrepancy in node-tar's directory caching and symlink validation logic. Node-tar implements security controls to prevent extracted symlinks from redirecting file extraction to arbitrary filesystem locations. Part of this protection involves caching directory paths when they are created to optimize subsequent file operations and avoid unnecessary filesystem stat calls.
The vulnerability arises because the cache-checking logic treats both \ (backslash) and / (forward slash) as path separators. However, on POSIX systems, backslash is a valid character for filenames, not a path separator. This inconsistency creates an exploitable condition where an attacker can craft a malicious tar archive that first creates a legitimate directory, then replaces it with a symlink bearing the same name but using different path separator notation.
Additionally, a related attack vector exists on case-insensitive filesystems (such as macOS HFS+ or Windows NTFS). If an archive contains a directory named FOO followed by a symbolic link named foo, the symlink creation removes the actual directory from the filesystem while the internal cache retains the directory entry. Subsequent file entries within the FOO directory would then be extracted into the symlink's target location.
Root Cause
The root cause is a path traversal vulnerability (CWE-22) combined with improper link resolution (CWE-59). The cache validation logic incorrectly normalizes path separators across operating systems, treating backslashes as directory separators on POSIX systems where they are valid filename characters. This creates a cache collision scenario where a directory entry and a symlink can coexist in the cache despite pointing to the same apparent path, allowing the symlink to bypass extraction security checks.
Attack Vector
The attack requires local access with user interaction, where a victim must extract a specially crafted tar archive using a vulnerable version of node-tar. An attacker constructs a malicious tar file containing:
- A directory entry (e.g., malicious_dir/)
- A symbolic link with the same effective name but using backslash separators (e.g., malicious_dir pointing to /etc/ or another sensitive location)
- Subsequent file entries that will be extracted through the symlink to the target directory
When the vulnerable application extracts this archive, the directory is created first and cached. The symlink then replaces the directory on the filesystem while the cache retains the original directory entry. Files extracted after the symlink creation follow the symlink to its target, allowing arbitrary file writes outside the intended extraction directory.
The attack leverages the path separator confusion where path\\to\\file and path/to/file may be treated as equivalent in cache lookups but have different filesystem behaviors on POSIX systems.
Detection Methods for CVE-2021-37701
Indicators of Compromise
- Unexpected files appearing in sensitive system directories following tar extraction operations
- Symbolic links created in extraction directories pointing to locations outside the expected scope
- Log entries showing file creation in /etc/, /usr/, or other privileged directories during npm package installation or tar extraction
- Presence of tar archives containing entries with mixed backslash and forward slash path separators
Detection Strategies
- Monitor for tar extraction operations that create symbolic links, especially those pointing outside the extraction directory
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Audit Node.js applications for use of vulnerable node-tar versions using npm audit or software composition analysis tools
- Analyze incoming tar files for suspicious patterns including directory entries immediately followed by symlinks with similar names
Monitoring Recommendations
- Enable filesystem auditing on sensitive directories to detect symlink-based file creation attempts
- Configure application logging to capture tar extraction operations including full paths and entry types
- Deploy runtime application self-protection (RASP) solutions to monitor and block suspicious file operations
- Regularly scan software dependencies using tools like npm audit or Snyk to identify vulnerable node-tar versions
How to Mitigate CVE-2021-37701
Immediate Actions Required
- Upgrade node-tar to patched versions: 4.4.16, 5.0.8, or 6.1.7 or later
- Run npm audit fix in Node.js projects to automatically update vulnerable dependencies
- Review and audit any applications that process untrusted tar archives
- Implement input validation to reject tar archives from untrusted sources until patching is complete
Patch Information
Security patches are available in node-tar versions 4.4.16, 5.0.8, and 6.1.7. The v3 branch of node-tar has been deprecated and will not receive security updates; users on v3 should upgrade to a supported version. Detailed patch information is available in the GitHub Security Advisory GHSA-9r2w-394v-53qc. Enterprise users of Oracle GraalVM should apply the Oracle Critical Patch Update October 2021, while Siemens customers should consult the Siemens Security Advisory SSA-389290.
Workarounds
- If immediate patching is not possible, avoid extracting tar archives from untrusted sources
- Implement pre-extraction validation to scan tar contents for suspicious symlink patterns
- Run tar extraction operations in sandboxed environments with restricted filesystem access
- Configure extraction to disallow symbolic links using node-tar's noSymlinks option where available
# Upgrade node-tar to the latest patched version
npm update tar
# Verify installed version is patched
npm list tar
# Run security audit on project dependencies
npm audit
# Force update to specific patched version if needed
npm install tar@6.1.7
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
