GHSA-fcfm-93gv-wh6f
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5Description PRE-NVD
AnalysisAI
Arbitrary file modification in the Perl Archive::Tar module before version 3.08 allows a malicious tar archive to create hardlinks pointing outside the extraction directory. Any application or service that extracts attacker-supplied tarballs is affected: because extraction chmods the shared inode of a hardlink, an attacker can alter permissions of sensitive files outside the intended target path. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not listed in CISA KEV.
Technical ContextAI
Archive::Tar is a pure-Perl library (CPAN distribution, CPE cpe:2.3:a:archive\:\:tar_project:archive\:\:tar) widely used to read and write tar archives, including in automated pipelines that ingest untrusted archives. The flaw is a CWE-59 Improper Link Resolution ('Link Following') issue: during extraction in _make_special_file, the library created hardlink (and the related symlink) entries using the linkname supplied by the archive without validating it. The fixed commit (17c873492a05) adds checks under the default SECURE EXTRACT MODE that reject link targets that are absolute paths or that contain '..' traversal components. The hardlink case is particularly dangerous because, as the patch comment notes, the extraction process itself chmods the shared inode, so creating a hardlink to a file outside the extraction tree lets the archive change that external file's permissions.
RemediationAI
Upgrade Archive::Tar to version 3.08 or later (Vendor-released patch: 3.08), which restores SECURE EXTRACT MODE checks that reject hardlink and symlink targets with absolute paths or '..' traversal; the fix is in commit https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 and documented at https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes. On systems that ship Archive::Tar with Perl core, update the OS/vendor package (see Debian tracking) rather than only the standalone CPAN module. Until patched, do not enable $Archive::Tar::INSECURE_EXTRACT_MODE (it bypasses the link checks), and treat untrusted archives defensively: extract only into a dedicated throwaway/sandboxed directory that contains no sensitive files and is isolated from system paths (trade-off: requires reworking extraction workflows), or pre-screen archive entries and reject any hardlink/symlink whose linkname is absolute or contains '..' before extraction (trade-off: custom validation code must stay in sync with edge cases the library now handles).
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.32.1-4+deb11u3 | - |
| bullseye (security) | vulnerable | 5.32.1-4+deb11u5 | - |
| bookworm | vulnerable | 5.36.0-7+deb12u3 | - |
| bookworm (security) | vulnerable | 5.36.0-7+deb12u2 | - |
| trixie | vulnerable | 5.40.1-6 | - |
| forky, sid | vulnerable | 5.40.1-7 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31777