The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. This vulnerability allows attackers to exploit the package's functionality to create or overwrite files in unintended locations.
The CVSS score for this vulnerability is 8.2, indicating a high severity level. This score reflects the potential impact on confidentiality and integrity, making it critical for organizations using the affected package to address this issue promptly.
Organizations should prioritize patching immediately to mitigate risks associated with this vulnerability. Given that this issue is classified under CWE-22, it poses significant risks in terms of file manipulation and unauthorized access.
As of now, there is no confirmed public exploit available for this vulnerability, but it is essential for organizations to remain vigilant and apply the necessary patches.
Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. For detailed remediation steps, refer to the GitHub Advisory.
Vulnerability Details
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file.
This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.
This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1.
Technical Analysis
The root cause of this vulnerability lies in the inadequate handling of absolute paths during the extraction process of the tar package. The attack vector is local, and the attack complexity is low, allowing attackers to exploit this vulnerability easily.
No privileges are required for the attack, and user interaction is necessary to trigger the vulnerability. The potential impacts on confidentiality and integrity are high, while the availability impact is none.
Risk & Impact Analysis
Risk to organizations includes unauthorized file creation or overwriting, which could lead to data loss, corruption, or unauthorized access. Given the nature of the vulnerability, the potential blast radius can extend to any system that utilizes the affected versions of the tar package.
Organizations should assess their deployment environments for the presence of the vulnerable versions and prioritize patching in their respective patch cycles.
The urgency for remediation is high due to the potential for exploitation, especially as the vulnerability is publicly known.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The affected versions of the npm package "tar" are those prior to 6.1.1, 5.0.6, 4.4.14, and 3.3.2. Organizations should ensure that they are running the patched versions to mitigate this vulnerability.
Mitigation & Remediation
Organizations should patch to versions 6.1.1, 5.0.6, 4.4.14, or 3.3.2 to remediate this vulnerability. If upgrading is not possible, consider implementing a custom onentry method that sanitizes the entry.path or a filter method that removes entries with absolute paths.
For more details on patching, organizations can refer to the penetration testing services offered by AppSecure.
Detection Guidance
Organizations should monitor for unusual file creation or modification events that could indicate exploitation of this vulnerability. Additionally, log entries pertaining to the npm tar package should be scrutinized for anomalies.
AppSecure Threat Intelligence Insight
This vulnerability exemplifies the ongoing challenges in software package management, particularly concerning file path handling. Security teams should remain vigilant about similar vulnerabilities in their software dependencies and implement rigorous security testing practices.
To further enhance security, organizations can review best practices in penetration testing methodology and consider adopting a vulnerability management program to address similar security issues proactively.
For organizations utilizing cloud services, it is advisable to configure your environments following the cloud security assessment guide to enhance their overall security posture.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)