DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28208: Junrar Path Traversal: Arbitrary File Write via Backslash Confusion

#security #cve #cybersecurity

Junrar Path Traversal: Arbitrary File Write via Backslash Confusion

Vulnerability ID: CVE-2026-28208
CVSS Score: 5.9
Published: 2026-02-27

A path traversal vulnerability in the Junrar Java library allows attackers to overwrite arbitrary files on Linux and Unix systems. The flaw arises from a semantic discrepancy in how backslash characters are handled during file validation versus file creation. By crafting a RAR archive with Windows-style path separators, an attacker can bypass directory traversal checks and write files outside the intended extraction directory, potentially leading to Remote Code Execution (RCE).

TL;DR

Junrar versions prior to 7.5.8 contain a critical path traversal flaw on POSIX systems. Attackers can embed files with backslash-containing names (e.g., '....\etc\passwd') in RAR archives. These bypass validation but are processed as directory separators during extraction, allowing arbitrary file writes and potential RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • CVSS v3.1: 5.9 (Medium)
  • Attack Vector: Network (User Interaction Required)
  • Impact: Arbitrary File Write / RCE
  • Exploit Status: PoC Available
  • EPSS Score: 0.11%

Affected Systems

  • Junrar < 7.5.8 running on Linux
  • Junrar < 7.5.8 running on macOS/Unix
  • Junrar: < 7.5.8 (Fixed in: 7.5.8)

Code Analysis

Commit: 947ff1d

Fix path traversal by enforcing invariant separators

String name = invariantSeparatorsPathString(fh.getFileName());
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Advisory containing description of the Python script PoC

Mitigation Strategies

  • Dependency Upgrade
  • Input Sanitization

Remediation Steps:

  1. Identify all projects using com.github.junrar:junrar in your build configuration (Maven pom.xml or Gradle build.gradle).
  2. Update the dependency version to 7.5.8 or later.
  3. Rebuild and redeploy the application.
  4. If immediate upgrading is not possible, implement a pre-extraction validation step that rejects any RAR archive containing file headers with backslash (\) characters when running on Linux/Unix systems.

References

Read the full report for CVE-2026-28208 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)