Listen to this Post
The vulnerability resides in Zarf’s archive extraction code within src/pkg/archive/archive.go. When processing a Zarf package, three handler functions—defaultHandler (line 320), `stripHandler` (line 342), and `filterHandler` (line 370)—create symlinks from archive entries without validating that the symlink target resolves inside the destination directory. The `defaultHandler` uses `filepath.Join(dst, f.LinkTarget)` before calling os.Symlink, which cleans the path and can resolve traversal sequences like `../../../../etc/shadow` to an absolute path outside dst. The `stripHandler` passes the link target verbatim to os.Symlink, and `filterHandler` behaves similarly to defaultHandler. An attacker can craft a malicious Zarf package containing a symlink entry with a traversal target. Upon extraction, the symlink is created pointing to an arbitrary file system location (e.g., /etc/shadow). A subsequent archive entry targeting the same name can then read or write through that symlink, leading to arbitrary file read or write. This is a symlink-based variant of the Zip Slip vulnerability (CVE-2018-1002200). Although the vulnerability does not directly execute code, overwriting critical files (e.g., binaries, configuration) can lead to code execution if those files are later executed. The issue is fixed in Zarf version v0.73.1. Users should upgrade immediately or restrict package sources to trusted origins.
dailycve form:
Platform: Zarf
Version: Prior to 0.73.1
Vulnerability: Path Traversal
Severity: High
date: 2026-03-06
Prediction: Patch available v0.73.1
What Undercode Say:
Analytics
Reproduction steps (use in disposable environment) mkdir -p /tmp/cve-repro/archive-contents cd /tmp/cve-repro/archive-contents ln -s ../../../../../../../etc/shadow escape-link echo "benign content" > readme.txt cd /tmp/cve-repro tar -czf malicious.tar.gz -C archive-contents . mkdir -p /tmp/cve-repro/extract/a/b/c/d zarf tools archiver decompress malicious.tar.gz /tmp/cve-repro/extract/a/b/c/d ls -la /tmp/cve-repro/extract/a/b/c/d/escape-link readlink -f /tmp/cve-repro/extract/a/b/c/d/escape-link
Exploit:
- Attacker creates a Zarf package with a symlink entry targeting a traversal path (e.g.,
../../../../etc/shadow). - When extracted by a vulnerable Zarf binary, the symlink is created outside the intended directory.
- A subsequent file entry in the same archive can write through that symlink, overwriting sensitive system files.
- Alternatively, if the application reads files through the symlink, an attacker could read arbitrary files.
Protection from this CVE:
- Upgrade to Zarf version v0.73.1 or later.
- If immediate upgrade is not possible, only process Zarf packages from fully trusted sources.
- Validate all archives before extraction using external tools that check symlink targets.
Impact:
- Unauthorized read of sensitive files (e.g.,
/etc/shadow, credentials). - Unauthorized overwrite of critical system files, potentially leading to privilege escalation or denial of service.
- In scenarios where overwritten files are executed, remote code execution may be achievable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

