CVE-2026-29064: Path Traversal via Symlink Extraction in Zarf
Vulnerability ID: CVE-2026-29064
CVSS Score: 8.2
Published: 2026-03-06
A high-severity path traversal vulnerability exists in the archive extraction component of Zarf, an airgap-native Kubernetes package manager. The flaw allows malicious packages to write files outside the intended extraction directory via unvalidated symbolic links. This vulnerability affects Zarf versions 0.54.0 through 0.73.0 and is remediated in version 0.73.1.
TL;DR
Zarf versions prior to 0.73.1 fail to validate symbolic link targets during archive extraction. Attackers can craft malicious packages containing symlinks that point to arbitrary locations on the host filesystem (e.g., /etc/shadow), leading to arbitrary file read or write access when the package is decompressed.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-29064
- CVSS v3.1: 8.2 (High)
- CWE ID: CWE-22
- Attack Vector: Local / User Interaction
- Impact: Arbitrary File Read/Write
- Affected Versions: 0.54.0 - 0.73.0
Affected Systems
- Zarf CLI < 0.73.1
-
Zarf: >= 0.54.0, < 0.73.1 (Fixed in:
0.73.1)
Code Analysis
Commit: 93f9c33
fix: use os.Root for archive extraction to prevent path traversal
func (h *defaultHandler) Handle(ctx context.Context, root *os.Root, header *tar.Header) error
Mitigation Strategies
- Upgrade Zarf to version 0.73.1 or later immediately.
- Avoid using 'zarf tools archiver decompress' on untrusted packages.
- Run Zarf extraction processes in isolated containers or sandboxes with limited filesystem access.
Remediation Steps:
- Identify the current Zarf version:
zarf version. - Download the latest release from the official GitHub repository.
- Replace the existing binary with the patched version (v0.73.1+).
- Verify the installation:
zarf versionshould report v0.73.1.
References
Read the full report for CVE-2026-29064 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)