Skip to content

Arbitrary File Overwrite in tar

High severity GitHub Reviewed Published May 1, 2019 • Updated Aug 3, 2021

Package

npm tar (npm)

Affected versions

< 2.2.2
>= 3.0.0, < 4.4.2

Patched versions

2.2.2
4.4.2

Description

Versions of tar prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Recommendation

For tar 4.x, upgrade to version 4.4.2 or later.
For tar 2.x, upgrade to version 2.2.2 or later.

References

CVE ID

CVE-2018-20834

CVSS Score

7.5 High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N