Critical severityNVD Advisory· Published Dec 27, 2022· Updated Apr 11, 2025

Path traversal in github.com/whyrusleeping/tar-utils

CVE-2020-36566

Description

A Zip Slip vulnerability in Go's tar-utils library allows arbitrary file overwrite outside the target directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Zip Slip vulnerability in Go's tar-utils library allows arbitrary file overwrite outside the target directory.

Overview

CVE-2020-36566 describes a Zip Slip vulnerability present in the tar-utils library extracted from the go-ipfs codebase, developed by whyrusleeping [4]. The root cause is improper path sanitization when extracting archive files, allowing relative file paths (e.g., ../../evil.sh) to write or overwrite files outside the intended target directory [1][2]. This class of vulnerability affects multiple archive formats including tar, jar, war, and zip [2].

Exploitation

Details

The attack requires a specially crafted archive containing directory traversal filenames and extraction code that does not validate the resulting path [2]. The extraction process in tar-utils fails to check whether the resolved path stays within the designated destination folder, enabling an attacker to control where files are written. This can be triggered without authentication if an application automatically extracts untrusted archives (e.g., user uploads) [2].

Impact

Successful exploitation allows an attacker to write or overwrite arbitrary files on the system, potentially leading to remote code execution by overwriting executables or configuration files [2]. As a directory traversal vulnerability, it can also corrupt sensitive data and affect both client and server environments [2].

Mitigation

Status

The vulnerability has been addressed in tar-utils (see GO-2021-0106 [3]). Users should update to the fixed version. No workaround is generally effective other than validating all archive paths before extraction.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/whyrusleeping/tar-utilsGo	< 0.0.0-20201201191210-20a61371de5b	0.0.0-20201201191210-20a61371de5b

Affected products

ghsa-coords
pkg:golang/github.com/whyrusleeping/tar-utils
Range: < 0.0.0-20201201191210-20a61371de5b
whyrusleeping/Github.com/whyrusleeping/tar Utilsv5
Range: 0

Patches

20a61371de5b

more closely match default tar errors (GNU + BSD binaries)

https://github.com/whyrusleeping/tar-utilsAdin SchmahmannDec 1, 2020via ghsa

commit

1 file changed · +6 −1

extractor.go+6 −1 modified

@@ -104,7 +104,12 @@ func (te *Extractor) Sanitize(toggle bool) {
 
 // outputPath returns the path at which to place tarPath
 func (te *Extractor) outputPath(tarPath string) (outPath string, err error) {
-	elems := strings.Split(tarPath, "/")    // break into elems
+	elems := strings.Split(tarPath, "/") // break into elems
+	for _, e := range elems {
+		if e == ".." {
+			return "", fmt.Errorf("%s : path contains '..'", tarPath)
+		}
+	}
 	elems = elems[1:]                       // remove original root
 	outPath = strings.Join(elems, "/")      // join elems
 	outPath = gopath.Join(te.Path, outPath) // rebase on to extraction target root

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jpf8-h7h7-3ppmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36566ghsaADVISORY
github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227ghsaWEB
pkg.go.dev/vuln/GO-2021-0106ghsaWEB
snyk.io/research/zip-slip-vulnerabilityghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000