CVE-2026-45390

Vulnerability

OCaml-tar versions before 3.4.0 contain a path traversal vulnerability in the Tar_unix.extract function. The function uses Filename.concat to join the destination directory with the archive entry's file name, but Filename.concat does not sanitize ../ path segments. As a result, a crafted archive containing entries with ../ in their names can write files outside the intended extraction directory. The affected version is 3.3.0, which appears to be the only version of ocaml-tar prior to the fix [1].

Exploitation

An attacker who can submit a crafted tar archive to an endpoint that uses Tar_unix.extract for decompression can exploit this vulnerability. The archive must contain entries with ../ path segments in their file names. No special authentication or privileges are required if the extraction endpoint is publicly accessible. The attacker does not need any user interaction beyond the system processing the archive [1].

Impact

Successful exploitation allows arbitrary file write outside of the desired extraction directory. The attacker can overwrite or create files at arbitrary locations on the filesystem, potentially leading to remote code execution, privilege escalation, or denial of service. This is comparable to similar vulnerabilities in other ecosystems, which received CVSS scores ranging from 6.8 (MEDIUM) to 8.2 (HIGH) [1].

Mitigation

The vulnerability is fixed in version 3.4.0 of ocaml-tar. Users should upgrade to this version or later. No workaround is documented in the available references [1]. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.