Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-1tz4-bphw-rbd3
Vulnerability ID VCID-1tz4-bphw-rbd3
Aliases CVE-2021-37701
GHSA-9r2w-394v-53qc
Summary Path Traversal This npm package has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-59 Improper Link Resolution Before File Access ('Link Following')
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37701.json
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2021-37701
cvssv3.1 8.2 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
generic_textual HIGH https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-9r2w-394v-53qc
cvssv3.1 8.2 https://github.com/npm/node-tar
generic_textual HIGH https://github.com/npm/node-tar
cvssv3.1 8.2 https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
cvssv3.1_qr HIGH https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
generic_textual HIGH https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
cvssv3.1 8.2 https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html
cvssv3.1 8.2 https://nvd.nist.gov/vuln/detail/CVE-2021-37701
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-37701
cvssv3.1 8.2 https://www.debian.org/security/2021/dsa-5008
generic_textual HIGH https://www.debian.org/security/2021/dsa-5008
cvssv3.1 8.2 https://www.npmjs.com/package/tar
generic_textual HIGH https://www.npmjs.com/package/tar
cvssv3.1 8.2 https://www.oracle.com/security-alerts/cpuoct2021.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuoct2021.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37701.json
https://api.first.org/data/v1/epss?cve=CVE-2021-37701
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/npm/node-tar
https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html
https://www.debian.org/security/2021/dsa-5008
https://www.npmjs.com/package/tar
https://www.oracle.com/security-alerts/cpuoct2021.html
1999731 https://bugzilla.redhat.com/show_bug.cgi?id=1999731
CVE-2021-37701 https://nvd.nist.gov/vuln/detail/CVE-2021-37701
GHSA-9r2w-394v-53qc https://github.com/advisories/GHSA-9r2w-394v-53qc
GLSA-202405-29 https://security.gentoo.org/glsa/202405-29
RHSA-2021:5086 https://access.redhat.com/errata/RHSA-2021:5086
RHSA-2022:0041 https://access.redhat.com/errata/RHSA-2022:0041
RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246
RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350
RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37701.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/npm/node-tar
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-37701
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.debian.org/security/2021/dsa-5008
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.npmjs.com/package/tar
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://www.oracle.com/security-alerts/cpuoct2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.29453
EPSS Score 0.0011
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:49.080934+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2021-37701.yml 38.0.0