VYPR
← All advisories
Medium severity5.9NVD Advisory· Published Apr 20, 2026· Updated Apr 23, 2026

CVE-2026-41245

CVE-2026-41245

Description

Junrar is an open source java RAR archive library. Prior to version 7.5.10, a path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Version 7.5.10 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.github.junrar:junrarMaven
< 7.5.107.5.10

Affected products

2
  • Junrar Project/Junrar2 versions
    cpe:2.3:a:junrar_project:junrar:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:junrar_project:junrar:*:*:*:*:*:*:*:*range: <7.5.10
    • (no CPE)range: <7.5.10

Patches

1
d77e9a83eb72

fix: better handling of files outside directory when extracting

https://github.com/junrar/junrarGauthier RoebroeckApr 15, 2026via ghsa
commit
3 files changed · +22 2
  • src/main/java/com/github/junrar/LocalFolderExtractor.java+2 2 modified
    @@ -32,7 +32,7 @@ File createDirectory(final FileHeader fh) {
         File f = new File(folderDestination, fileName);
         try {
             String fileCanonPath = f.getCanonicalPath();
-            if (!fileCanonPath.startsWith(folderDestination.getCanonicalPath())) {
+            if (!fileCanonPath.startsWith(folderDestination.getCanonicalPath() + File.separator)) {
                 String errorMessage = "Rar contains invalid path: '" + fileCanonPath + "'";
                 throw new IllegalStateException(errorMessage);
             }
@@ -58,7 +58,7 @@ private File createFile(final FileHeader fh, final File destination) throws IOEx
         String name = invariantSeparatorsPathString(fh.getFileName());
         File f = new File(destination, name);
         String dirCanonPath = f.getCanonicalPath();
-        if (!dirCanonPath.startsWith(destination.getCanonicalPath())) {
+        if (!dirCanonPath.startsWith(destination.getCanonicalPath() + File.separator)) {
             String errorMessage = "Rar contains file with invalid path: '" + dirCanonPath + "'";
             throw new IllegalStateException(errorMessage);
         }
  • src/test/java/com/github/junrar/LocalFolderExtractorTest.java+20 0 modified
    @@ -86,4 +86,24 @@ public void rarWithFileOutsideTarget_ShouldThrowException2() throws Exception {
                 .containsIgnoringCase(expectedInvalidPath.toString());
         }
     }
+
+    @Test
+    public void rarWithFileOutsideTarget_ShouldThrowException3() throws Exception {
+        File file = TestCommons.writeResourceToFolder(tempFolder, "sibling-prefix-traversal.rar");
+
+        File tempDir = new File("/tmp/extract");
+        LocalFolderExtractor localFolderExtractor = new LocalFolderExtractor(tempDir);
+
+        try (Archive archive = new Archive(file)) {
+            FileHeader fileHeader = archive.nextFileHeader();
+
+            String expectedInvalidPath = "/tmp/extract_evil/pwned.txt";
+            Throwable thrown = catchThrowable(() -> localFolderExtractor.extract(archive, fileHeader));
+
+            assertThat(thrown).isInstanceOf(IllegalStateException.class);
+            assertThat(thrown.getMessage())
+                .containsIgnoringCase("Rar contains file with invalid path")
+                .containsIgnoringCase(expectedInvalidPath);
+        }
+    }
 }
  • src/test/resources/com/github/junrar/sibling-prefix-traversal.rar+0 0 added

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.