Safeguard
Open Source Security

node-tar Windows-Specific Path Traversal Bypass (CVE-2021...

CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.

Aman Khan
AppSec Engineer
8 min read

In September 2021, the maintainers of node-tar — the tar archive library that npm itself relies on to unpack every package you install — disclosed a fresh path traversal bypass tracked as CVE-2021-37712. The flaw let a maliciously crafted .tgz archive escape its intended extraction directory on Windows by abusing Windows junction points, once again allowing arbitrary file creation or overwrite outside the folder a victim thought they were extracting into. It landed just weeks after node-tar had already patched a closely related class of symlink-based path traversal bugs, underscoring how difficult it is to fully close off filesystem escape vectors in archive extraction code — and how much of the JavaScript ecosystem quietly depends on node-tar getting this right.

What Is CVE-2021-37712?

To understand CVE-2021-37712, it helps to know what came before it. Earlier in 2021, security researchers reported CVE-2021-32803 and CVE-2021-32804, which showed that node-tar's symlink handling did not adequately prevent a tar archive from creating a symlink that pointed outside the extraction root and then writing through it. The project shipped fixes that resolved the real path of directories being extracted into and refused to write through anything that resolved outside the target directory.

CVE-2021-37712 (tracked upstream via GitHub Security Advisory GHSA-9r2w-394v-53qc) showed that this protection was incomplete on Windows specifically. Windows supports junctions — a reparse-point mechanism, conceptually similar to a symlink but scoped to directories, that any unprivileged user can create. A crafted archive could plant a junction inside the extraction path pointing at an arbitrary location on disk, then include subsequent tar entries that appeared to write "into" that path. Because node-tar cached directory paths it had already validated as safe, and that validation did not correctly account for a path component becoming a junction partway through extraction, the extractor would follow the junction and write attacker-controlled files outside the intended extraction directory — a classic path traversal outcome achieved through a Windows-specific filesystem primitive rather than the more familiar ../../ sequence.

The practical impact is the same as any archive-extraction path traversal: an attacker who can get a victim (or an automated build process) to extract a malicious tarball can create or overwrite files anywhere the extracting user has write access — including startup scripts, cron-equivalents on Windows, or files that get executed later, potentially leading to arbitrary code execution.

Affected Versions and Components

CVE-2021-37712 affects the node-tar npm package prior to the fixed releases. The node-tar maintainers shipped corrected versions across every actively maintained major line:

  • node-tar 6.1.9 and later
  • node-tar 5.0.10 and later
  • node-tar 4.4.18 and later
  • node-tar 3.2.4 and later

Anything below those version floors remains exposed to this specific junction-based bypass, even if it already contains the earlier CVE-2021-32803/32804 fixes.

Because node-tar is the extraction engine bundled inside npm itself, the blast radius extends well beyond projects that explicitly declare tar as a dependency. Every npm install that unpacks a .tgz package tarball goes through node-tar, so an outdated npm CLI — and by extension any Node.js runtime that bundles that CLI — carried the same exposure. On top of that, node-tar is a popular, general-purpose dependency used by build tools, CI utilities, Electron packaging pipelines, and countless other Node.js projects that extract archives, meaning the vulnerability showed up as a deep, often-invisible transitive dependency in a huge number of dependency trees.

CVE-2021-37712 Severity: CVSS, EPSS, and KEV Status

GitHub's advisory database rates CVE-2021-37712 as High severity, with a CVSS v3.1 base score in the 8.6 range — consistent with the other node-tar path traversal issues from the same disclosure cycle. The scoring reflects high confidentiality, integrity, and availability impact once exploited, offset somewhat by the requirement for user interaction: a victim (or an automated tool acting on their behalf, such as npm install) has to actually extract the malicious archive for the bypass to trigger. It is not a remotely exploitable, zero-click flaw.

EPSS scoring for CVE-2021-37712 has stayed low in the years since disclosure, which tracks with its exploitation profile: it requires delivering a crafted tarball and getting it extracted, rather than being reachable over an open network port. As of this writing, CVE-2021-37712 does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, and there are no widely reported cases of active mass exploitation in the wild. That said, "no KEV listing" is not the same as "no risk" — supply chain attacks that trojanize npm packages are exactly the kind of delivery mechanism that would make an archive-extraction path traversal like this one dangerous, since a compromised or typosquatted package could ship a tarball engineered to trip this exact bug on a Windows build machine.

Timeline

  • August 3, 2021 — node-tar discloses and patches CVE-2021-32803 and CVE-2021-32804, the initial symlink-based path traversal issues, in versions 6.1.7, 5.0.8, 4.4.16, and 3.2.3.
  • Following weeks — further review of the fix (some of it prompted by continued research into node-tar's symlink and directory-cache logic) surfaces additional bypasses, including the Windows junction-specific case.
  • September 2021 — the node-tar maintainers disclose and patch a second wave of issues — CVE-2021-37701, CVE-2021-37712, and CVE-2021-37713 — together, releasing node-tar 6.1.9, 5.0.10, 4.4.18, and 3.2.4 to close all three.
  • Shortly after — npm ships CLI releases that bundle the patched tar dependency, and Node.js release lines that embed npm follow with updates incorporating the fix, propagating the patch out to developers who update their Node.js installation rather than npm directly.

Remediation Steps

  1. Upgrade node-tar directly. If your project or a tool you maintain depends on tar explicitly, update to 6.1.9, 5.0.10, 4.4.18, 3.2.4, or later — whichever major line you're on.
  2. Update npm and Node.js. Since node-tar ships inside npm, run npm --version and confirm you're on a release that bundles the patched tar. Updating Node.js itself to a current release will typically bring a fixed npm along with it.
  3. Audit your transitive dependency tree. node-tar is frequently pulled in indirectly by build tools, installers, and CI utilities. Run npm ls tar (or the equivalent for your package manager) across your repositories to find copies you didn't know you had, and don't stop at direct dependencies.
  4. Re-run software composition analysis (SCA) and npm audit. Treat any flagged instance of node-tar below the fixed versions as a finding requiring remediation, not just a warning to note.
  5. Be deliberate about extracting untrusted archives, especially on Windows build agents. Avoid extracting tarballs from unverified sources with elevated or broadly-scoped filesystem permissions, and prefer package sources with integrity verification (lockfiles with hashes, signed registries) over ad hoc tarball downloads.
  6. Patch build and CI infrastructure, not just application code. Windows-based build runners that call npm install are exactly the environment this bug targets — make sure your CI images are rebuilt with a patched Node.js/npm, not just your production dependency manifests.

How Safeguard Helps

CVE-2021-37712 is a good illustration of why manual dependency review doesn't scale: the vulnerable component is node-tar, but the exposure often shows up three or four layers deep, quietly bundled inside a build tool, a packaging library, or npm itself. Most teams never declare a direct dependency on it, which means it's easy to miss with a cursory package.json check.

Safeguard's software composition analysis continuously maps your full dependency graph — direct and transitive — against known CVEs like CVE-2021-37712, so a vulnerable node-tar buried inside a CI helper or an Electron build chain surfaces the same way a top-level dependency would. Because this vulnerability is Windows-specific and tied to how archives are extracted during builds, Safeguard correlates SBOM data with your actual build and CI environments, flagging cases where a vulnerable extraction path is reachable on Windows-based runners specifically, rather than issuing generic severity scores divorced from real exploitability.

Safeguard also tracks each finding's CVSS, EPSS trend, and KEV status over time, so security teams can prioritize CVE-2021-37712-class issues appropriately — patch it because it's a real path traversal with High severity impact, but don't let it crowd out actively-exploited vulnerabilities elsewhere in the stack. Policy gates in CI/CD block builds that reintroduce vulnerable node-tar versions after remediation, and continuous monitoring catches regressions if a future dependency bump silently pulls an outdated tar back in. For npm-heavy organizations, that combination of deep transitive visibility, environment-aware exploitability context, and automated gating is what turns a disclosure like CVE-2021-37712 from a scramble into a routine, verifiable patch cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.