node-tar Hardlink Path Traversal Vulnerability Allowing Arbitrary File Access or Overwrite

A vulnerability exists in node-tar versions prior to 7.5.7, where the handling of hardlink entries introduces a path traversal issue. The security validation for hardlinks is inconsistent with the logic used to create them, allowing attackers to design a malicious TAR file that bypasses path traversal safeguards. This can result in hardlinks being created to arbitrary files outside the designated extraction directory. The vulnerability arises because the security check and hardlink creation process resolve paths differently, enabling exploitation by crafting specific linkpaths that escape the extraction directory.

Impact

Exploitation of this vulnerability allows for arbitrary file read or overwrite operations. When the crafted TAR archive is extracted, hardlinks are created that point to sensitive files outside the extraction directory. If the application later writes to these hardlink paths, it can overwrite the target files, potentially leading to data corruption or unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, create a TAR archive containing a hardlink entry that points to a file outside the extraction directory. Upload this TAR archive to an application using an affected version of node-tar, and trigger the extraction process. After extraction, the hardlink will point to the specified file outside the extraction directory, bypassing the intended path traversal protections.

Remediation

Users should upgrade to node-tar version 7.5.7 or later, where this vulnerability has been fixed.