What is CVE-2021-32804?

CVE-2021-32804 is a vulnerability in the npm package "tar" that allows a local attacker to traverse directories on the system.

What is the severity of CVE-2021-32804?

The severity of CVE-2021-32804 is high, with a CVSS score of 8.1 (out of 10).

How does CVE-2021-32804 affect Node.js?

CVE-2021-32804 affects Node.js through the vulnerable version of the "tar" npm package.

How can I fix CVE-2021-32804?

To fix CVE-2021-32804, you should update the "tar" npm package to version 6.1.1, 5.0.6, 4.4.14, or 3.3.2, depending on your Node.js version.

Where can I find more information about CVE-2021-32804?

You can find more information about CVE-2021-32804 at the following references: [Red Hat Advisory](https://access.redhat.com/security/cve/CVE-2021-32803), [npm Advisory](https://www.npmjs.com/advisories/1770), [GitHub Commit](https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4).

Vulnerability/
CVE-2021-32804

high

8.2

CWE

3/8/2021

20/11/2023

CVE-2021-32804: Path Traversal

First published: Tue Aug 03 2021(Updated: )

Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient absolute path sanitization. An attacker could use a specially-crafted tar file containing "dot dot" sequences (/../) to create or overwrite arbitrary files on the system.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
redhat/rh-nodejs14-nodejs	<0:14.17.5-1.el7	0:14.17.5-1.el7
redhat/rh-nodejs12-nodejs	<0:12.22.5-1.el7	0:12.22.5-1.el7
redhat/rh-nodejs12-nodejs-nodemon	<0:2.0.3-5.el7	0:2.0.3-5.el7
Tar Project Tar	<3.2.2
Tar Project Tar	>=4.0.0<4.4.14
Tar Project Tar	>=5.0.0<5.0.6
Tar Project Tar	>=6.0.0<6.1.1
Oracle GraalVM	=20.3.3
Oracle GraalVM	=21.2.0
Siemens Sinec Infrastructure Network Services	<1.0.1.1
IBM Cloud Pak for Security	<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software	<=1.10.12.0 - 1.10.16.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2021-32804?
CVE-2021-32804 is a vulnerability in the npm package "tar" that allows a local attacker to traverse directories on the system.
What is the severity of CVE-2021-32804?
The severity of CVE-2021-32804 is high, with a CVSS score of 8.1 (out of 10).
How does CVE-2021-32804 affect Node.js?
CVE-2021-32804 affects Node.js through the vulnerable version of the "tar" npm package.
How can I fix CVE-2021-32804?
To fix CVE-2021-32804, you should update the "tar" npm package to version 6.1.1, 5.0.6, 4.4.14, or 3.3.2, depending on your Node.js version.
Where can I find more information about CVE-2021-32804?
You can find more information about CVE-2021-32804 at the following references: [Red Hat Advisory](https://access.redhat.com/security/cve/CVE-2021-32803), [npm Advisory](https://www.npmjs.com/advisories/1770), [GitHub Commit](https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4).

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/ibm-support
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-32804
agent/software-canonical-lookup
collector/redhat-cve
vendor/ibm
canonical/ibm cloud pak for security
version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
canonical/ibm qradar suite software
version/ibm qradar suite software/1.10.12.0 - 1.10.16.0
vendor/tar project
canonical/tar project tar
version/tar project tar/4.0.0
version/tar project tar/5.0.0
version/tar project tar/6.0.0
vendor/oracle
canonical/oracle graalvm
version/oracle graalvm/20.3.3
version/oracle graalvm/21.2.0
vendor/siemens
canonical/siemens sinec infrastructure network services
package-manager/redhat