Patool
Monthly
Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.
Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.