CVE-2026-12565
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The unarchive internal module does not perform validation on file paths during archive extraction, relying on external tools, which may lead to unauthorized system access. Specifically, on systems with GNU tar < 1.34, a malicious archive can write files outside the intended extraction directory.
Risk Assessment
Organizations may be exposed to attacks that exploit vulnerabilities in archive extraction, potentially leading to unauthorized access to data or systems. The risk particularly affects systems with specific versions of GNU tar.
Recommendation
It is recommended to update GNU tar to version 1.34 or newer and to review and restrict access to archives to minimize risk. Additionally, implementing file path validation mechanisms during extraction is advisable.
Original NVD description (English source)
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.

