node-tar Hardlink Target Escape Vulnerability Allowing Arbitrary File Read/Write

A vulnerability in node-tar versions through 7.5.7 allows an attacker to create hardlinks in the extraction directory that point to files outside the extraction root. This bypasses path protections and enables arbitrary file read and write as the user extracting the archive. The issue arises from the way linkpaths are checked and how hardlink targets are resolved during extraction, creating a chain of symlinks that leads to the exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary file read and write operations via the extraction process, with the potential to overwrite files outside the extraction directory. This could lead to unauthorized access to sensitive information or modification of important files, depending on the context in which the node-tar module is used.

Reproduction

To reproduce this vulnerability, use node-tar version 7.5.7 or earlier and extract an archive that contains a hardlink pointing to a file outside the extraction directory. The extraction should be done with the default options, which do not include path preservation. After extraction, the hardlink will point to the external file, allowing it to be read or written to as the user running the extraction.

Remediation

Upgrade node-tar to version 7.5.8 or later, where this vulnerability has been fixed.