Threat Watch

GitHub Finds Seven Code Execution Vulnerabilities in Node.js Packages ‘tar’ and npm CLI

The GitHub security team has identified several high-severity vulnerabilities in npm packages, “tar” and “@npmcli/arborist,” used by npm CLI. The tar package receives 20 million weekly downloads on average, whereas arborist gets downloaded over 300,000 times every week. The vulnerabilities affect both Windows and Unix-based users, and if left unpatched, can be exploited by attackers to achieve arbitrary code execution on a system installing untrusted npm packages. Node.js package tar remains a core dependency for installers that need to unpack npm packages post-installation. The package is also used by thousands of other open-source projects, and as such receives roughly 20 million downloads every week. The arborist package is a core dependency relied on by npm CLI and is used to manage node_modules trees. These ZIP slip vulnerabilities pose a problem for developers installing untrusted npm packages using the npm CLI, or using “tar” to extract untrusted packages. By default, npm packages are shipped as .tar.gz or .tgz files which are ZIP-like archives and as such need to be extracted by the installation tools. The tools extracting these archives should ideally ensure any malicious paths within the archive don’t end up overwriting existing files, especially the sensitive ones, on the filesystem. But, because of the vulnerabilities, the npm package when extracted could overwrite arbitrary files with the privileges of the user running the npm install command.


As with any vulnerability, the best thing to do is be sure to apply whatever patches are available as soon as possible. Developers should upgrade their tar dependency versions to 4.4.19, 5.0.11, or 6.1.10, and upgrade @npmcli/arborist version 2.8.2 to patch the vulnerabilities. For npm CLI, versions v6.14.15, v7.21.0, or newer contain the fix. Additionally, Node.js version 12, 14, or 16 come with the fixed tar version and can be safely upgraded to, according to GitHub.