DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20613: Rotten Core: Unpacking the Apple Containerization ZipSlip (CVE-2026-20613)

#security #cve #cybersecurity

Rotten Core: Unpacking the Apple Containerization ZipSlip (CVE-2026-20613)

Vulnerability ID: CVE-2026-20613
CVSS Score: 9.3
Published: 2026-01-22

A critical ZipSlip vulnerability in Apple's containerization Swift package allows attackers to escape extraction roots and overwrite arbitrary system files via malicious archives.

TL;DR

The apple/containerization library failed to sanitize file paths within archives before extraction. By crafting a TAR file with entries like ../../etc/passwd, an attacker can overwrite host files during the image load process. The fix involved rewriting the extraction logic to use secure, file-descriptor-relative system calls (openat) instead of high-level path concatenation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v3.1: 9.3 (Critical)
  • Attack Vector: Network / Local (Archive)
  • Fix Commit: 3e93416b9a6d7b4c25fff7e9dea22a9ca687ee52
  • Impact: Arbitrary File Write / RCE
  • Language: Swift

Affected Systems

  • Swift-based container runtimes
  • CI/CD pipelines using Apple containerization tools
  • Custom tooling built on apple/containerization
  • apple/containerization: < Jan 15 2026 (Fixed in: Commit 3e93416b9a6d7b4c25fff7e9dea22a9ca687ee52)

Code Analysis

Commit: 3e93416

Fix ZipSlip vulnerability by switching to file-descriptor based extraction

Diff too large to display inline; involves rewriting ArchiveReader.swift to use openat/mkdirat.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Python script generating TAR with relative path traversal entries

Mitigation Strategies

  • Update apple/containerization to the latest version immediately.
  • Implement deep scanning of container images and archives before ingestion.
  • Run container extraction processes with the least privilege possible (non-root).

Remediation Steps:

  1. Identify all projects depending on apple/containerization.
  2. Update Package.swift to pin the fixed commit or version.
  3. Rebuild and redeploy applications.
  4. Audit filesystem logs for openat calls containing traversal sequences.

References

Read the full report for CVE-2026-20613 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)