GHSA-JXR7-MQHW-9P98
Vulnerability from github – Published: 2026-07-14 17:54 – Updated: 2026-07-14 17:54
VLAI
Summary
K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Details
Summary
A path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names (e.g., ../../../../etc/password) can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot.
Mitigations
- Enable golang's built-in insecure path protections when restoring snapshots by setting the
GODEBUGenvironment variable:bash GODEBUG=zipinsecurepath=0 k3s server --cluster-reset --cluster-reset-restore-path=/path/to/snapshot.zip - Manually extract the snapshot from the zip archive before restoring it. If the snapshot to be restored does not end with
.zip, the vulnerable extraction code will not be executed.
Additional Notes
Administrators should be aware of the cautions noted in the "Security" section of the documentation on Restoring Snapshots.
Severity
5.8 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/k3s-io/k3s"
},
"ranges": [
{
"events": [
{
"introduced": "1.35.0-rc1"
},
{
"fixed": "1.35.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/k3s-io/k3s"
},
"ranges": [
{
"events": [
{
"introduced": "1.34.0-rc1"
},
{
"fixed": "1.34.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/k3s-io/k3s"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.33.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54250"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T17:54:14Z",
"nvd_published_at": "2026-06-25T19:16:41Z",
"severity": "MODERATE"
},
"details": "#### Summary\n\nA path traversal vulnerability exists in K3s\u0027s etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names (e.g., `../../../../etc/password`) can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot.\n\n#### Mitigations\n\n* Enable golang\u0027s built-in [insecure path protections](https://pkg.go.dev/archive/zip#NewReader) when restoring snapshots by setting the`GODEBUG` environment variable:\n ```bash\n GODEBUG=zipinsecurepath=0 k3s server --cluster-reset --cluster-reset-restore-path=/path/to/snapshot.zip\n ```\n* Manually extract the snapshot from the zip archive before restoring it. If the snapshot to be restored does not end with `.zip`, the vulnerable extraction code will not be executed.\n\n#### Additional Notes\n\nAdministrators should be aware of the cautions noted in the \"Security\" section of the documentation on [Restoring Snapshots](https://docs.k3s.io/cli/etcd-snapshot#security).",
"id": "GHSA-jxr7-mqhw-9p98",
"modified": "2026-07-14T17:54:14Z",
"published": "2026-07-14T17:54:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/k3s-io/k3s/security/advisories/GHSA-jxr7-mqhw-9p98"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54250"
},
{
"type": "PACKAGE",
"url": "https://github.com/k3s-io/k3s"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…