article featured image


In the course of two months (July and August), security experts at GitHub Robert Chen and Philip Papurt have discovered arbitrary code execution vulnerabilities in the open-source Node.js packages, tar, and @npmcli/arborist.

According to BleepingComputer, the tar package receives 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week.
If not patched, the flaws that impact both Windows and Unix-based users could be abused by threat actors in order to attain arbitrary code execution on a system installing suspicious npm packages.

According to the researcher’s report, some of the vulnerabilities impacting Windows and Unix-based systems are rated high-severity and have been discovered in the aforementioned packages.

Chen and Papurt Rewarded

As a sign of appreciation and gratitude, both Robert Chen and Philip Papurt have received from the GitHub Security team a total bounty of $14,500 for their efforts in keeping GitHub secure.
Node.js package tar remains a core dependency for installers that have to unpack npm packages following the installation. Thousands of other open-source projects use the package, and such as it gets downloaded approximately 20 million times every week.

The arborist package is a core dependency relying on npm CLI and is used to handle node_modules trees.

These ZIP slip issues could constitute a serious concern for developers who use the npm CLI to install untrusted npm packages or who use “tar” to remove malicious packages.

Npm packages are typically sent as.tar.gz or.tgz files, which are ZIP-like archives that must be unpacked using installation tools. The tools used to extract these archives should ideally ensure that malicious paths do not overwrite existing files in the file system, particularly sensitive ones.

However, the npm package, when unpacked, could overwrite arbitrary files with the rights of the user running the npm install command due to the vulnerabilities outlined below:


As explained by Mike Hanley, Chief Security Officer at GitHub:

CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install.

Some of these issues may result in arbitrary code execution, even if you are using –ignore-scripts to prevent the processing of package lifecycle scripts.


Users Urged to Patch the Flaws

The developers are encouraged by the package manager for JavaScript’s runtime Node.js npm to patch these flaws as soon as possible.

Developers should upgrade their tar dependency variants to 4.4.19, 5.0.11, or 6.1.10, and upgrade npmcli/arborist version 2.8.2 to fix the bugs.

For npm CLI, versions v6.14.15, v7.21.0, or newer include the patch. In addition, version 12, 14, or 16 of Node.js comes with a patched tar version and may be upgraded to GitHub safely.

GitHub’s comprehensive blog post provides all the information regarding these vulnerabilities.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *