This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A Path Traversal vulnerability in `node-tar` (npm package). π¦ **Consequences**: Due to insufficient absolute path cleaning, attackers can create or overwrite arbitrary files on the system.β¦
π‘οΈ **Root Cause**: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). π **Flaw**: The library fails to properly sanitize absolute paths during extraction, allowing directory traversal attacks.
Q3Who is affected? (Versions/Components)
π₯ **Affected**: Users of the `node-tar` npm package. π **Vendor**: npm. β οΈ **Note**: Since `npm` itself uses `node-tar`, the npm tool is also indirectly affected by this vulnerability.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Hackers Can**: Create arbitrary files or overwrite existing ones. π **Privileges**: Local access required, but can lead to system compromise.β¦
π **Threshold**: Low to Medium. π±οΈ **Requirements**: Local Access (AV:L), Low Complexity (AC:L), No Privileges Required (PR:N), but User Interaction (UI:R) is needed (e.g., clicking a malicious link or running a command)β¦
π₯ **Public Exploit**: YES. π **PoC Available**: A GitHub repository (`yamory/CVE-2021-32804`) provides Docker-based reproduction steps. π» **Proof**: Demonstrates overwriting `.bashrc` to execute commands upon `su node`.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for `node-tar` versions in your `package-lock.json` or `node_modules`. π οΈ **Feature**: Check if your app extracts tarballs from untrusted sources.β¦
β **Fixed**: YES. π **Patch**: Official commit `1f036ca23f64a547bdd6c79c1a44bc62e8115da4` on GitHub addresses the issue. π **Action**: Update `node-tar` to the patched version immediately.
Q9What if no patch? (Workaround)
π§ **No Patch?**: Avoid extracting untrusted tar files. π **Mitigation**: Implement strict path validation before extraction.β¦
π¨ **Urgency**: HIGH. π΄ **Priority**: Critical for Node.js developers. β³ **Reason**: CVSS Score indicates High impact (C:H, I:H). Since npm is widely used, the attack surface is broad. Patch ASAP!