High severityGHSA Advisory· Published Dec 27, 2018· Updated Aug 5, 2024

CVE-2018-1000888

Description

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with $v_header['filename'] as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with phar://[path_to_malicious_phar_file] as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because @unlink($this->_temp_tarname) is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PEAR Archive_Tar <=1.4.3 allows phar deserialization via crafted tar filenames, leading to object injection and arbitrary file deletion or RCE.

Vulnerability

PEAR Archive_Tar versions 1.4.3 and earlier contain a vulnerability (CWE-502, CWE-915) in the Archive_Tar class. Several file operations such as file_exists, is_file, is_dir, and others use $v_header['filename'] as a parameter without sanitization. When the extract() method is called without a specific prefix path, an attacker can trigger unserialization by crafting a tar file with a filename starting with phar:// pointing to a malicious phar file. This leads to PHP object injection. [1][3]

Exploitation

An attacker needs the ability to provide a crafted tar file to an application using Archive_Tar::extract() without a prefix path. The attacker creates a phar file containing serialized metadata with a desired object (e.g., Archive_Tar) and sets a property like $_temp_tarname to a target file path. Then, a tar archive is created with an entry whose filename is phar://[path_to_malicious_phar_file]. When extract() processes this entry, the phar:// wrapper triggers deserialization of the phar metadata, resulting in object instantiation and property manipulation. In the Archive_Tar destructor, @unlink($this->_temp_tarname) is called, allowing arbitrary file deletion. [1][4]

Impact

Successful exploitation allows an attacker to delete arbitrary files on the system by controlling the $_temp_tarname property. If other classes with useful gadgets (e.g., for remote code execution) are loaded, the impact could escalate to full remote code execution, potentially leading to data deletion or modification. The attacker does not need authentication but requires the ability to upload or submit a tar file to the vulnerable application. [1][3][4]

Mitigation

The vulnerability is fixed in version 1.4.4, which was released on 2018-12-27. The fix, committed in [2], prevents filenames from starting with phar://. Users should upgrade to version 1.4.4 or later. No official workaround is available for earlier versions. This CVE is not listed in the KEV catalog. [1][2]

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pear/archive_tarPackagist	< 1.4.4	1.4.4

Affected products

Pear/Archive TarGHSA2 versions
< 1.4.4+ 1 more
- (no CPE)range: < 1.4.4
- (no CPE)range: <=1.4.3
ghsa-coords3 versions
pkg:composer/pear/archive_tar pkg:rpm/opensuse/php7&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/php8&distro=openSUSE%20Tumbleweed
< 1.4.4+ 2 more
- (no CPE)range: < 1.4.4
- (no CPE)range: < 7.4.24-1.1
- (no CPE)range: < 8.0.11-1.1

Patches

59ace120ac5c

Don't allow filenames to start with phar://

https://github.com/pear/Archive_TarMichiel RookDec 20, 2018via ghsa

commit

1 file changed · +3 −0

Archive/Tar.php+3 −0 modified

@@ -1767,6 +1767,9 @@ private function _tarRecToSize($tar_size)
      */
     private function _maliciousFilename($file)
     {
+        if (strpos($file, 'phar://') === 0) {
+            return true;
+        }
         if (strpos($file, '/../') !== false) {
             return true;
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.exploit-db.com/exploits/46108/mitreexploitx_refsource_EXPLOIT-DB
github.com/advisories/GHSA-3q76-jq6m-573pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-1000888ghsaADVISORY
security.gentoo.org/glsa/202006-14ghsavendor-advisoryx_refsource_GENTOOWEB
usn.ubuntu.com/3857-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2019/dsa-4378ghsavendor-advisoryx_refsource_DEBIANWEB
blog.ripstech.com/2018/new-php-exploitation-technique/mitrex_refsource_MISC
cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdfmitrex_refsource_MISC
github.com/FriendsOfPHP/security-advisories/blob/master/pear/archive_tar/CVE-2018-1000888.yamlghsaWEB
github.com/pear/Archive_Tar/commit/59ace120ac5ceb5f0d36e40e48e1884de1badf76ghsaWEB
lists.debian.org/debian-lts-announce/2019/02/msg00020.htmlghsamailing-listx_refsource_MLISTWEB
pear.php.net/bugs/bug.phpghsax_refsource_CONFIRMWEB
pear.php.net/package/Archive_Tar/download/mitrex_refsource_CONFIRM
usn.ubuntu.com/3857-1ghsaWEB
web.archive.org/web/20210328115328/https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdfghsaWEB
web.archive.org/web/20220524160841/https://blog.sonarsource.com/new-php-exploitation-techniqueghsaWEB
www.exploit-db.com/exploits/46108ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.024
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000