Listen to this Post
How the mentioned CVE works:
The vulnerability resides in gdown/extractall.py within the extractall() function. This function accepts an archive path and a destination directory (to). It then calls Python’s tarfile.extractall() or zipfile.extractall() without any path validation or sanitization of archive member filenames. A malicious ZIP or TAR archive can contain entries with relative path traversal sequences such as “../” or absolute paths. When the vulnerable extractall() method executes, it writes files using those unsanitized names directly into the filesystem relative to the destination directory. Because no check ensures that the final absolute path remains inside the intended target directory, an attacker can escape the extraction root. For example, an archive entry named “../../.bashrc” will be written two levels above the destination. This behavior exists even on modern Python versions (3.12+) because the wrapper does not set the filter parameter or implement any custom validation. The library’s code simply calls f.extractall(path=to) where f is either a tarfile or zipfile object. This direct delegation bypasses built-in protections that would otherwise require an explicit filter to reject malicious members. As a result, any application using gdown to extract user-supplied archives is vulnerable to arbitrary file writes outside the intended directory.
dailycve form:
Platform: Python gdown library
Version: 5.2.1 and earlier
Vulnerability: Path Traversal via
Severity: Critical CVSS 9.8
date: 2026-04-14
Prediction: Expected patch 2026-05-01
What Undercode Say:
Check vulnerable version
pip show gdown | grep Version
Create malicious archive (PoC)
cat > poc.py << 'EOF'
import tarfile
import io
with tarfile.open("evil.tar", "w") as tar:
payload = tarfile.TarInfo(name="../escape.txt")
payload.size = len(b"Path Traversal Success!")
tar.addfile(payload, io.BytesIO(b"Path Traversal Success!"))
EOF
python3 poc.py
Execute vulnerable extraction
python3 -c "from gdown import extractall; extractall('evil.tar', to='./safe_target/subfolder')"
Verify path traversal success
ls -l ./safe_target/escape.txt
How Exploit:
- Craft a ZIP/TAR archive with member names containing “../” sequences.
- Deliver the archive to a victim using gdown to extract it.
- When extractall() is called, files land outside the target directory.
- Overwrite sensitive files like ~/.bashrc, ~/.ssh/authorized_keys, or Python modules.
- Achieve Remote Code Execution by overwriting executable scripts or virtual environment code.
Protection from this CVE:
- Upgrade gdown to a patched version (once available).
- Apply the suggested fix: implement path validation using os.path.abspath and os.path.commonpath to reject any member whose resolved path is not inside the destination directory.
- Use Python’s built-in tarfile.extractall() with the ‘data’ filter (Python 3.12+) or manually iterate members and check each path.
- Avoid extracting untrusted archives with gdown until a fix is released.
Impact:
Arbitrary file overwrite leading to Remote Code Execution (RCE). Attackers can replace configuration files, SSH keys, or system scripts, potentially gaining full control over the victim’s environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

