Debian Security Advisory

DLA-3237-1 node-tar -- LTS security update

Date Reported:
12 Dec 2022
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 993981.
In Mitre's CVE dictionary: CVE-2021-37701, CVE-2021-37712.
More information:

Cache poisoning vulnerabilities were found in node-tar, a Node.js module used to read and write portable tar archives, which may result in arbitrary file creation or overwrite.

  • CVE-2021-37701

    It was discovered that node-tar performed insufficient symlink protection, thereby making directory cache vulnerable to poisoning using symbolic links.

    Upon extracting an archive containing a directory `foo/bar` followed with a symbolic link `foo\\bar` to an arbitrary location, node-tar would extract arbitrary files into the symlink target, thus allowing arbitrary file creation and overwrite.

    Moreover, on case-insensitive filesystems, a similar issue occurred with a directory `FOO` followed with a symbolic link `foo`.

  • CVE-2021-37712

    Similar to CVE-2021-37701, a specially crafted tar archive containing two directories and a symlink with names containing unicode values that normalized to the same value, would bypass node-tar's symlink checks on directories, thus allowing arbitrary file creation and overwrite.

For Debian 10 buster, these problems have been fixed in version 4.4.6+ds1-3+deb10u2.

We recommend that you upgrade your node-tar packages.

For the detailed security status of node-tar please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: