OneDev: RCE through absolute-path symlink following allows low-privileged users to overwrite arbitrary server via TarUtils.untar
Description
OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to arbitrary server-side locations. This is exploitable by any authenticated user with CI Job write access — no admin interaction required. This is an incomplete fix bypass of CVE-2021-21251 (GHSA-2w6j-wc8c-9mq2): that patch blocked .. path segments but did not address absolute symlink targets. This issue has been fixed in version 15.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"TarUtils.untar() creates symbolic links from TAR entry getLinkName() without validating whether the target is an absolute path."
Attack vector
An authenticated user with CI Job write access crafts a malicious TAR archive containing a symbolic link entry whose `getLinkName()` is an absolute path (e.g., `/etc/cron.d/malicious`). A subsequent file entry in the same archive writes content through that symlink, achieving arbitrary file write on the server. No admin interaction is required [ref_id=1]. This bypasses the previous fix for CVE-2021-21251, which blocked `..` path segments but did not restrict absolute symlink targets.
Affected code
The vulnerability resides in `TarUtils.untar()`, which creates symbolic links from TAR entry `getLinkName()` without validating whether the target is an absolute path. A subsequent file entry in the same archive can traverse the symlink to write to arbitrary server-side locations. The patch updates `commons.version` from 3.3.0 to 3.3.1 and `agent.version` from 2.5.8 to 2.5.9 in `pom.xml` [patch_id=6590931].
What the fix does
The patch upgrades `commons.version` from 3.3.0 to 3.3.1 and `agent.version` from 2.5.8 to 2.5.9 in `pom.xml` [patch_id=6590931]. The advisory states that the updated commons library (likely Apache Commons Compress) now validates that symlink targets are not absolute paths, preventing the symlink traversal attack. The agent version bump is a related dependency update.
Preconditions
- authAttacker must be an authenticated user with CI Job write access.
- inputAttacker must be able to upload a crafted TAR archive to a CI job.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/theonedev/onedev/commit/4f8684acebc4bfeefd3c7e23a34a4fd591cb27admitrex_refsource_MISC
- github.com/theonedev/onedev/security/advisories/GHSA-55g8-94r5-cj37mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.