Home

Description

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.

PUBLISHED Reserved 2026-04-27 | Published 2026-05-26 | Updated 2026-05-28 | Assigner CPANSec

Problem types

CWE-59 Improper Link Resolution Before File Access ('Link Following')

Product status

Default status
unaffected

Any version before 3.08
affected

Timeline

2026-04-12:Issue reported.
2026-05-22:Version 3.08 released.

References

github.com/...17c873492a05eddc0de18c1485e0b2cccd5a9158.patch patch

metacpan.org/release/BINGOS/Archive-Tar-3.08/changes release-notes

www.cve.org/CVERecord?id=CVE-2026-42497 related

cve.org (CVE-2026-42496)

nvd.nist.gov (CVE-2026-42496)

Download JSON