VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 12, 2024· Updated Feb 13, 2025

Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification

CVE-2024-27317

Description

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. These files, essentially zip files, are extracted by the Functions Worker. However, if a malicious file is uploaded, it could exploit a directory traversal vulnerability. This occurs when the filenames in the zip files, which aren't properly validated, contain special elements like "..", altering the directory path. This could allow an attacker to create or modify files outside of the designated extraction directory, potentially influencing system behavior. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".

This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.

2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.

Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Pulsar Functions Worker directory traversal via archive extraction allows authenticated users to write files outside the intended directory.

Vulnerability

In Apache Pulsar, the Functions Worker extracts uploaded function archives (jar or nar files, which are zip files) without properly validating filenames. Malicious archives containing directory traversal sequences (e.g., "..") can cause files to be written outside the designated extraction directory [1][3][4].

Exploitation

An authenticated user can upload a crafted archive to exploit this flaw. The vulnerability also affects the Pulsar Broker when configured with functionsWorkerEnabled=true. No additional privileges beyond authentication are required [1].

Impact

By creating or modifying files outside the extraction path, an attacker can alter system behavior, potentially leading to arbitrary code execution or privilege escalation [1][3].

Mitigation

The vulnerability is fixed in Apache Pulsar versions 2.10.6, 2.11.4, 3.0.3, 3.1.3, and 3.2.1. Users running earlier versions should upgrade immediately [1][4].

References
  1. NVD - CVE-2024-27317
  2. security - CVE-2024-27317: Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification
  3. CVE-2024-27317: Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification | Apache Pulsar

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.pulsar:pulsar-functions-workerMaven
>= 2.4.0, < 2.10.62.10.6
org.apache.pulsar:pulsar-functions-workerMaven
>= 2.11.0, < 2.11.42.11.4
org.apache.pulsar:pulsar-functions-workerMaven
>= 3.0.0, < 3.0.33.0.3
org.apache.pulsar:pulsar-functions-workerMaven
>= 3.1.0, < 3.1.33.1.3
org.apache.pulsar:pulsar-functions-workerMaven
>= 3.2.0, < 3.2.13.2.1

Affected products

5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.