Intel

AIKIDO-2026-414442

tar-fs is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

48

Medium Risk

This Affects:

JStar-fs
0.5.1 - 2.1.4
Fixed in 2.1.5
3.0.0 - 3.1.2
Fixed in 3.1.3
Are you affected? Scan for Free

TL;DR

The package’s tar extraction logic previously allowed crafted archives to escape the intended extraction directory (CWD) via path traversal and symlink tricks (including when using opts.strip), and could write through pre-existing symlinks. The patch adds explicit root-escape guards, rejects escaping symlinks, avoids following existing symlinks, and strips special permission bits (setuid/setgid/sticky) from extracted entries.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

tar-fs is vulnerable to Path Traversal in versions 3.0.0 - 3.1.2 and 0.5.1 - 2.1.4.

How to fix this

Upgrade the tar-fs library to the patch version.