Listen to this Post
The vulnerability exists in `IArchive.WriteToDirectory()` where the directory‑entry branch lacks `Path.GetFullPath()` normalization and bounds checks before calling Directory.CreateDirectory. Two .NET `Path.Combine` behaviours enable exploitation: relative path segments (e.g. "../../evil") are resolved by the OS to traverse outside the extraction root, and absolute paths (e.g. "/tmp/evil") discard the base directory entirely. While file entries are protected, the directory‑entry fast‑path is not. For ZIP archives this allows arbitrary directory creation; for TAR archives it can be escalated to full arbitrary file writes. The escalation works because `Path.GetFullPath` on .NET does not resolve symlinks. An attacker can include a symlink entry (e.g. link → ../evil_outside/) and then a file entry (link/secret.txt). The file‑entry guard computes `Path.GetFullPath(“/safe/extract/link”)` which appears inside the root, so the check passes, but the OS follows the symlink and writes the file outside the extraction root. SharpCompress does not validate `linkTarget` before calling the caller’s SymbolicLinkHandler, making the default handler exploitable.
dailycve form
Platform: SharpCompress library
Version: up to 0.47.4
Vulnerability: directory traversal
Severity: moderate
Date: 2026-05-06
Prediction: 2026-05-15 (expected patch)
What Undercode Say:
Clone the Proof-of-Concept (PoC) repository git clone https://github.com/svenclaesson/poc-sharpcompress-traversal cd poc-sharpcompress-traversal Run the PoC with .NET dotnet run Vulnerable code snippet (sync branch, IArchiveExtensions.cs:48–61) var dirPath = Path.Combine(destinationDirectory, entry.Key); Directory.CreateDirectory(Path.GetDirectoryName(dirPath + "/"));
Exploit:
- Craft a malicious archive (ZIP or TAR) containing directory entries with `../` or absolute paths.
- For TAR archives, also include a symlink entry pointing outside the extraction root and a file entry inside that symlink’s path.
- Provide a `SymbolicLinkHandler` that creates the symlink (no validation of the target).
- The extraction creates directories/files outside the intended root, leading to arbitrary file writes.
Protection from this CVE
- Upgrade to SharpCompress > 0.47.4 (once available).
- Apply the recommended fix: normalize the destination directory with `Path.GetFullPath` and enforce `StartsWith` checks before creating any directory.
- Validate `linkTarget` in any custom
SymbolicLinkHandler; reject paths that escape the extraction root. - Avoid extracting untrusted archives with `WriteToDirectory` until patched.
Impact
Arbitrary directory creation (ZIP) and full arbitrary file write primitive (TAR), subject to process permissions. Potential for privilege escalation (e.g., cron drop‑ins, XDG config paths, service spool directories) and shadowing of expected paths to alter application behaviour.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
