DRUPAL-CORE-2021-004

DRUPAL-CORE-2021-004 PUBLISHED CVSS 9.300000190734863 CRITICAL

The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of the Archive\_Tar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source. This advisory is not covered by [Drupal Steward](/steward).

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
drupal	core	8.0.0, 9.1.0, 8.1.0-rc1

Timeline

Jul 21, 2021 CVE Published
Dec 10, 2025 CVE Updated

References

https://www.drupal.org/sa-core-2021-004 url

Open in Interactive Console →