CVE-2026-45390
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In OCaml-tar before version 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. Although tar(1) rejects such extractions, ocaml-tar decompresses it anyway.
Risk Assessment
This vulnerability allows an attacker to write arbitrary files outside of the desired extraction directory, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade to OCaml-tar version 3.4.0 or later to mitigate this vulnerability.
Original NVD description (English source)
In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint).

