node-tar Symlink Path Traversal Vulnerability Allowing Arbitrary File Overwrite

A symlink path traversal vulnerability has been identified in node-tar, a tar manipulation library for Node.js. This issue affects versions through 7.5.10. The vulnerability arises because the extraction process can be manipulated to create a symlink pointing outside the designated extraction directory. By using a drive-relative symlink target, such as 'C:../../../target.txt', it is possible to overwrite files outside the current working directory during the extraction process. This vulnerability is particularly concerning when tar archives controlled by an attacker are extracted using the tar.x() method, as it allows for arbitrary file overwriting on the system.

Impact

Exploitation of this vulnerability leads to arbitrary file overwriting outside the intended extraction directory, potentially causing data loss or corruption. The overwritten file can be located anywhere in the file system, depending on the symlink target used during exploitation.

Reproduction

The vulnerability can be reproduced by creating a tar archive that includes a symbolic link with a drive-relative path pointing outside the extraction directory. This can be done by using the node-tar library to package the tar file, specifying a linkpath that includes '..' segments to traverse out of the intended directory. Once the tar file is created, it can be extracted using the tar.x() method, which will follow the symlink and overwrite the targeted file outside the extraction directory.

Remediation

Users should upgrade to node-tar version 7.5.11 or later, where this vulnerability has been fixed.