Safeguard
Open Source Security

node-tar Second Bypass Enabling Arbitrary File Write (CVE...

CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.

Aman Khan
AppSec Engineer
7 min read

CVE-2021-32804 is a high-severity vulnerability in node-tar, the tar archive library that npm bundles internally to unpack packages during installation. The flaw allowed a maliciously crafted tar archive to bypass node-tar's absolute-path sanitization and write files to arbitrary locations on the filesystem outside the intended extraction directory. Because node-tar sits underneath npm's own install pipeline and is a standalone dependency pulled into thousands of downstream projects, the vulnerability's blast radius extended well past npm itself into any tool or build pipeline that extracts untrusted tarballs.

This was not node-tar's first brush with this class of bug. CVE-2021-32804 was, in effect, a second bypass of protections npm had already shipped once before — a pattern that matters for anyone thinking about how confidently a single patch can be trusted to close off an entire vulnerability class.

Affected Versions and Components

node-tar is maintained under the npm GitHub organization and is used directly by the npm CLI, as well as by a long list of downstream tools — Yarn, Electron-builder, and countless build and packaging scripts — that rely on it to extract .tar, .tgz, and similar archives. CVE-2021-32804 affected the node-tar package lines prior to the following patched releases:

  • node-tar 3.x before 3.2.3
  • node-tar 4.x before 4.4.16
  • node-tar 5.x before 5.0.8
  • node-tar 6.x before 6.1.7

Because npm vendors node-tar to unpack packages fetched from the registry (or from tarball URLs and local paths), any environment running an npm version that bundled a vulnerable node-tar release inherited the same exposure. The npm project shipped updated npm releases pulling in the fixed node-tar versions shortly after disclosure. Projects that depend on node-tar directly — rather than through npm's own internals — needed to bump their tar dependency independently, since npm's own upgrade did nothing to protect applications that call node-tar's API themselves.

Inside CVE-2021-32804: How the Absolute Path Bypass Works

To understand CVE-2021-32804, it helps to know the history it builds on. Tar archives can, in principle, contain entries with absolute paths (/etc/cron.d/malicious) or path traversal sequences using ../ segments. A tar extractor that naively honors those paths will write files wherever the archive tells it to, rather than confining output to the target extraction directory — a classic path traversal problem. node-tar had already been bitten by this once, in an earlier advisory that led the maintainers to add logic that strips leading path separators and resolves entries relative to the extraction root before writing anything to disk.

CVE-2021-32804 is the discovery that this absolute-path sanitization was incomplete. Certain crafted path strings in a tar entry's header could slip past the sanitization logic unmodified, so that when node-tar handed the "sanitized" path to Node's filesystem APIs, it was still effectively an absolute or traversal path pointing outside the extraction directory. In other words, the check that was supposed to neutralize dangerous paths during tar extraction could be bypassed with the right input, letting an attacker who controls the contents of a tarball — a malicious npm package, a poisoned build artifact, a tarball fetched from an untrusted source — overwrite or create files anywhere the extracting process had filesystem permissions to write. That could mean clobbering configuration files, dropping executables into a PATH directory, or overwriting scripts that get run later, all without any warning to the developer or CI system pulling the archive.

It's worth noting this vulnerability was disclosed alongside a sibling issue, CVE-2021-32803, which addressed a related but distinct gap: insufficient protection against symlinks being used to redirect extraction outside the target directory. Together, the two advisories illustrate how many different angles — absolute paths, relative paths, and symlinks — an npm package extraction routine has to defend against simultaneously, and how a fix that closes one angle can still leave another open.

CVSS and Exploitability Context

NVD rates CVE-2021-32804 as High severity, with a CVSS v3.1 base score of 8.6, reflecting a network-exploitable issue with low attack complexity and a high impact on integrity and availability once a victim extracts a malicious archive. CVE-2021-32804 does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no public evidence of widespread active exploitation in the wild — the practical risk is concentrated in scenarios where an application extracts tarballs from untrusted or attacker-influenced sources, such as CI pipelines pulling artifacts from third parties, package managers resolving dependencies from mirrors, or any service that accepts user-uploaded archives for processing.

That said, "no known mass exploitation" is not the same as "safe to ignore." Supply chain attacks that rely on a single malicious package or compromised build artifact don't need broad exploitation to do damage — they need one CI runner or one developer machine to extract the wrong tarball.

Timeline

  • 2018 — An earlier node-tar advisory (tracked as CVE-2018-20834) established that specially crafted paths inside tar archives could escape the extraction target directory, and node-tar shipped sanitization logic to strip and normalize dangerous paths.
  • August 3, 2021 — The npm security team and GitHub Security Lab jointly disclosed two new node-tar advisories: CVE-2021-32803 (insufficient symlink protection) and CVE-2021-32804 (insufficient absolute path sanitization), both demonstrating that the 2018-era protections could be bypassed.
  • August 3, 2021 — Patched releases were published simultaneously across all four supported node-tar branches: 3.2.3, 4.4.16, 5.0.8, and 6.1.7.
  • Later in 2021 — Additional related node-tar advisories (including further symlink and directory-cache issues) were disclosed and patched, underscoring that path and symlink handling during tar extraction remained an area needing continued hardening.

Remediation Steps

  • Upgrade node-tar directly. If your project or tool depends on the tar npm package, update to 3.2.3, 4.4.16, 5.0.8, 6.1.7, or later, matching whichever major version line you're on.
  • Update npm itself. Because npm bundles node-tar internally, make sure you're running an npm release that includes the patched dependency, and don't assume a package-level npm audit fix alone covers npm's own bundled copy.
  • Audit transitive dependencies. Tools like Yarn, Electron-builder, and various CI/build utilities pull in node-tar transitively. Run npm ls tar (or your package manager's equivalent) across your dependency tree to confirm no vulnerable version is still being resolved somewhere.
  • Treat tar extraction as untrusted input handling. Any service or script that extracts tarballs from external, third-party, or user-supplied sources should be reviewed as if it were parsing untrusted input generally — because it is. Consider extraction sandboxes, restricted filesystem permissions for the extracting process, and validation of archive contents before extraction where feasible.
  • Re-verify lockfiles and CI caches. Environments that cached a vulnerable node-tar version in a lockfile, Docker layer, or CI dependency cache should regenerate those artifacts rather than assuming a source-level bump alone propagates everywhere it's used.

How Safeguard Helps

CVE-2021-32804 is a good illustration of why point-in-time patching isn't enough for software supply chain security: this was already the second time node-tar's path-handling logic needed to be fixed, and further related advisories followed later the same year. A single "we patched it once" checkbox doesn't tell you whether the underlying dependency graph across your organization has actually moved off every vulnerable release, or whether a new transitive path back to an old node-tar version has quietly reappeared.

Safeguard continuously maps the real dependency graph behind every build — not just declared top-level packages, but the transitive tree that actually gets resolved and extracted at install time — so vulnerabilities like CVE-2021-32804 in a deeply nested dependency like node-tar don't hide behind layers of tooling such as npm, Yarn, or bundler wrappers. When a new node-tar-class advisory drops, Safeguard flags every affected package version across your repositories and pipelines, prioritizes remediation based on real reachability and exploitability context rather than raw CVSS alone, and tracks whether the fix actually lands — including in lockfiles, CI caches, and container images that can otherwise silently reintroduce a patched vulnerability.

For path traversal and tar extraction issues specifically, Safeguard also helps teams identify where untrusted archives are being processed in build and deployment pipelines, so that defense-in-depth controls — not just dependency upgrades — can be applied where the actual risk lives. Given how often tar and archive-handling logic in the npm ecosystem has needed follow-up fixes, that kind of continuous, graph-aware visibility is what turns a single CVE alert into durable protection against the next bypass.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.