Aikido Intel
Secure My Code
Intel

AIKIDO-2026-11010

github.com/intel/oneapi-cli is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

81

High Risk

This Affects:

GOgithub.com/intel/oneapi-cli
0.0.14 - 0.2.12
Fixed in 0.2.13
Are you affected? Scan for Free

TL;DR

The tar extractor in this package previously allowed path traversal during extraction, enabling arbitrary file write outside the intended output directory (e.g., via ../ or absolute paths in tar headers). The fix adds a safe path-joining routine to prevent escapes and rejects unsafe link types (symlinks/hardlinks), with a regression test to ensure traversal cannot write outside the extraction directory.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and if you use this package’s tar extraction functionality (e.g., ExtractTarGz) and run it on untrusted or attacker-controlled tar archives.

Background info

github.com/intel/oneapi-cli is vulnerable to Path Traversal in versions 0.0.14 - 0.2.12.

How to fix this

Upgrade the github.com/intel/oneapi-cli library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done