Intel

AIKIDO-2026-428616

sevenz-rust2 is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

70

High Risk

This Affects:

RUSTsevenz-rust2
0.7.0 - 0.21.0
Fixed in 0.21.1
Are you affected? Scan for Free

TL;DR

sevenz-rust2 extracts 7z archives by joining each archive entry name directly onto the destination directory without validating it. A crafted archive whose entry names contain .. traversal sequences, absolute paths, or Windows drive/root prefixes causes extracted files to be written outside the intended destination directory. An attacker who supplies a malicious archive can overwrite arbitrary files on the system, which can lead to code execution. The fix adds a safe_join helper that rejects parent-directory, root, and drive-prefix components and treats backslashes as separators on every platform.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application extracts untrusted or attacker-supplied 7z archives.

Background info

sevenz-rust2 is vulnerable to Path Traversal in versions 0.7.0 - 0.21.0.

How to fix this

Upgrade the sevenz-rust2 library to the patch version.