VYPR
← All advisories
Moderate severityOSV Advisory· Published Feb 13, 2024· Updated Mar 24, 2026

Registry-support: decompress can delete files outside scope via relative paths

CVE-2024-1485

Description

A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the parent or plugin keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-1485 is a path traversal vulnerability in devfile registry-support's decompression function, enabling file overwrite/deletion outside the archive via malicious devfiles.

Vulnerability

Overview

CVE-2024-1485 is a path traversal vulnerability found in the decompression function of registry-support, a component used to handle devfile registries [1]. The flaw arises because the cleanup process after decompressing an archive does not properly sanitize file paths. This allows an attacker to craft an archive with entries containing path traversal sequences (e.g., ../), which can escape the intended extraction directory.

Exploitation

Method

The vulnerability can be triggered when an unauthenticated remote attacker tricks a user into parsing a devfile that uses the parent or plugin keywords [1][2]. The devfile processing logic will then download and decompress a referenced archive. A malicious archive containing files with manipulated paths can cause the extraction routine to write files to arbitrary locations outside the archive's designated directory [2]. The flaw specifically affects the file path cleanup function, which fails to neutralize traversal sequences, leading to the overwrite or deletion of unintended files on the system [4].

Impact

If successfully exploited, an attacker could achieve arbitrary file write or deletion on the affected system [1][2]. This could lead to data corruption, denial of service, or potentially code execution if critical system files are overwritten [3]. The vulnerability requires user interaction (parsing a devfile), but does not require authentication, increasing its reach [3].

Mitigation

Red Hat has acknowledged the flaw and a fix has been merged into the upstream repository [1][4]. The commit introduces a CleanFilepath function that properly sanitizes paths, preventing traversal outside the intended base directory [4]. Users are advised to update to the latest version of registry-support that includes this patch. As of the publication date, no evidence of exploitation in the wild has been reported.

References
  1. cve-details
  2. NVD - CVE-2024-1485
  3. CVE-2024-1485 - GitHub Advisory Database
  4. Merge pull request #197 from Jdubrick/security-fix · devfile/registry-support@0e44b9c

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/devfile/registry-support/registry-libraryGo
< 0.0.0-202402060.0.0-20240206

Affected products

1

Patches

1
0e44b9ca6d03

Merge pull request #197 from Jdubrick/security-fix

https://github.com/devfile/registry-supportJordan DubrickFeb 6, 2024via ghsa
commit
2 files changed · +88 2
  • registry-library/library/util.go+8 2 modified
    @@ -113,7 +113,7 @@ func decompress(targetDir string, tarFile string, excludeFiles []string) error {
 			continue
 		}
 
-		target := path.Join(targetDir, filepath.Clean(header.Name))
+		target := CleanFilepath(targetDir, header.Name)
 		switch header.Typeflag {
 		case tar.TypeDir:
 			err = os.MkdirAll(target, os.FileMode(header.Mode))
@@ -122,7 +122,6 @@ func decompress(targetDir string, tarFile string, excludeFiles []string) error {
 				return returnedErr
 			}
 		case tar.TypeReg:
-			/* #nosec G304 -- target is produced using path.Join which cleans the dir path */
 			w, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
 			if err != nil {
 				returnedErr = multierror.Append(returnedErr, err)
@@ -192,3 +191,10 @@ func getHTTPClient(options RegistryOptions) *http.Client {
 		Timeout: overriddenTimeout,
 	}
 }
+
+// Cleans a child path to ensure that there is no escaping from the parent directory with the use of ../ escape methods
+// Ensures that the child path is always contained and absolutely pathed from the parent
+func CleanFilepath(parent string, child string)string{
+	target := path.Join(parent, filepath.Clean("/"+child))
+	return target
+}
  • registry-library/library/util_test.go+80 0 modified
    @@ -18,6 +18,7 @@ package library
 import (
 	"reflect"
 	"testing"
+	"strings"
 )
 
 func TestValidateStackVersionTag(t *testing.T) {
@@ -130,3 +131,82 @@ func TestSplitVersionFromStack(t *testing.T) {
 		})
 	}
 }
+
+func TestCleanFilepath(t *testing.T) {
+	tests := []struct {
+		name       		string
+		parentPath   	string
+		childPath 		string
+		expectedPath 	string
+	}{
+		{
+			name:       "Absolute child path with leading slash",
+			parentPath: ".",
+			childPath: "/test/tmp",
+			expectedPath: "test/tmp",
+		},
+		{
+			name:       "Absolute child path without leading slash",
+			parentPath: ".",
+			childPath: "test/tmp",
+			expectedPath: "test/tmp",
+		},
+		{
+			name:       "Relative child path without leading slash",
+			parentPath: ".",
+			childPath: "../../../../test/tmp",
+			expectedPath: "test/tmp",
+		},
+		{
+			name:       "Relative child path with leading slash",
+			parentPath: ".",
+			childPath: "/../../../../test/tmp",
+			expectedPath: "test/tmp",
+		},
+		{
+			name:       "Absolute child path with leading slash and escape capabilities",
+			parentPath: ".",
+			childPath: "/home/../../../../test/tmp",
+			expectedPath: "test/tmp",
+		},
+		{
+			name:       "Absolute child path with leading slash and escape capabilities (parent path not current dir)",
+			parentPath: "newHome/dir",
+			childPath: "/home/../../../../test/tmp",
+			expectedPath: "newHome/dir/test/tmp",
+		},
+		{
+			name:       "Relative child path without leading slash and escape capabilities (parent path not current dir)",
+			parentPath: "newHome/dir",
+			childPath: "../home/../../../../test/tmp",
+			expectedPath: "newHome/dir/test/tmp",
+		},
+		{
+			name:       "Blank child path",
+			parentPath: "dir",
+			childPath: "",
+			expectedPath: "dir",
+		},
+		{
+			name:       "Child path only escape characters",
+			parentPath: "dir",
+			childPath: "../../../../../",
+			expectedPath: "dir",
+		},
+		{
+			name:       "Single file as child path",
+			parentPath: "dir",
+			childPath: "test.txt",
+			expectedPath: "dir/test.txt",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			path:= CleanFilepath(test.parentPath, test.childPath)
+			if !strings.EqualFold(test.expectedPath, path) {
+				t.Errorf("Expected: %s, Got: %s", test.expectedPath, path)
+			}
+		})
+	}
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.