Security News > 2021 > September > GitHub finds 7 code execution vulnerabilities in 'tar' and npm CLI
The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages.
On further review of the researchers' reports, GitHub security team found some more high-severity vulnerabilities in the aforementioned packages, affecting both Windows and Unix-based systems.
Node.js package tar remains a core dependency for installers that need to unpack npm packages post-installation.
The arborist package is a core dependency relied on by npm CLI and is used to manage node modules trees.
These ZIP slip vulnerabilities pose a problem for developers installing untrusted npm packages using the npm CLI, or using "Tar" to extract untrusted packages.
"CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install," explains Mike Hanley, Chief Security Officer at GitHub.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-31 | CVE-2021-39135 | UNIX Symbolic Link (Symlink) Following vulnerability in multiple products `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. | 7.8 |
| 2021-08-31 | CVE-2021-39134 | Improper Handling of Case Sensitivity vulnerability in multiple products `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. | 7.8 |
| 2021-08-31 | CVE-2021-37713 | Path Traversal vulnerability in multiple products The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. | 4.4 |
| 2021-08-03 | CVE-2021-32804 | Path Traversal vulnerability in multiple products The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. | 5.8 |