CVE-2021-32804: 
JavaScript vulnerability analysis and mitigation

CVE-2021-32804 is a vulnerability in node-tar affecting versions <3.2.2, 4.x <4.4.14, 5.x <5.0.6, and 6.x <6.1.1. The vulnerability stems from insufficient absolute path sanitization when the preservePaths flag is not set to true. The issue was discovered and disclosed in August 2021 (GitHub Advisory).

The vulnerability occurs in node-tar's path sanitization logic. When attempting to prevent extraction of absolute file paths, the package strips the absolute path root from file paths in tar files. However, the logic was insufficient when handling paths with repeated path roots (e.g., ////home/user/.bashrc). The package would only strip a single path root, leaving the path still resolvable as absolute (e.g., ///home/user/.bashrc), thus enabling arbitrary file creation and overwrite (GitHub Advisory).

A successful exploit could lead to arbitrary file creation and overwrite on the target system, potentially enabling arbitrary code execution. The vulnerability allows attackers to bypass the package's path sanitization protections and write files to arbitrary locations on the filesystem (GitHub Advisory).

The vulnerability has been patched in versions 3.2.2, 4.4.14, 5.0.6, and 6.1.1. Users should upgrade to these versions or later. As a temporary workaround, users can implement custom onentry or filter methods to sanitize entry paths or remove entries with absolute paths. However, upgrading to patched versions is strongly recommended over implementing custom sanitization (GitHub Advisory).