Zarf, Path Traversal, CVE-2026-29064 (High)

Listen to this Post

The vulnerability resides in Zarf’s archive extraction code within src/pkg/archive/archive.go. When processing a Zarf package, three handler functions—defaultHandler (line 320), `stripHandler` (line 342), and `filterHandler` (line 370)—create symlinks from archive entries without validating that the symlink target resolves inside the destination directory. The `defaultHandler` uses `filepath.Join(dst, f.LinkTarget)` before calling os.Symlink, which cleans the path and can resolve traversal sequences like `../../../../etc/shadow` to an absolute path outside dst. The `stripHandler` passes the link target verbatim to os.Symlink, and `filterHandler` behaves similarly to defaultHandler. An attacker can craft a malicious Zarf package containing a symlink entry with a traversal target. Upon extraction, the symlink is created pointing to an arbitrary file system location (e.g., /etc/shadow). A subsequent archive entry targeting the same name can then read or write through that symlink, leading to arbitrary file read or write. This is a symlink-based variant of the Zip Slip vulnerability (CVE-2018-1002200). Although the vulnerability does not directly execute code, overwriting critical files (e.g., binaries, configuration) can lead to code execution if those files are later executed. The issue is fixed in Zarf version v0.73.1. Users should upgrade immediately or restrict package sources to trusted origins.

dailycve form:

Platform: Zarf
Version: Prior to 0.73.1
Vulnerability: Path Traversal
Severity: High
date: 2026-03-06

Prediction: Patch available v0.73.1

What Undercode Say:

Analytics

Reproduction steps (use in disposable environment)
mkdir -p /tmp/cve-repro/archive-contents
cd /tmp/cve-repro/archive-contents
ln -s ../../../../../../../etc/shadow escape-link
echo "benign content" > readme.txt
cd /tmp/cve-repro
tar -czf malicious.tar.gz -C archive-contents .
mkdir -p /tmp/cve-repro/extract/a/b/c/d
zarf tools archiver decompress malicious.tar.gz /tmp/cve-repro/extract/a/b/c/d
ls -la /tmp/cve-repro/extract/a/b/c/d/escape-link
readlink -f /tmp/cve-repro/extract/a/b/c/d/escape-link

Exploit:

  • Attacker creates a Zarf package with a symlink entry targeting a traversal path (e.g., ../../../../etc/shadow).
  • When extracted by a vulnerable Zarf binary, the symlink is created outside the intended directory.
  • A subsequent file entry in the same archive can write through that symlink, overwriting sensitive system files.
  • Alternatively, if the application reads files through the symlink, an attacker could read arbitrary files.

Protection from this CVE:

  • Upgrade to Zarf version v0.73.1 or later.
  • If immediate upgrade is not possible, only process Zarf packages from fully trusted sources.
  • Validate all archives before extraction using external tools that check symlink targets.

Impact:

  • Unauthorized read of sensitive files (e.g., /etc/shadow, credentials).
  • Unauthorized overwrite of critical system files, potentially leading to privilege escalation or denial of service.
  • In scenarios where overwritten files are executed, remote code execution may be achievable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top