Description
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.
Published: 2026-06-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The unarchive module in Black Lantern Security BBOT does not validate the file paths of extracted archives, relying solely on client‑side tools such as GNU tar whose behavior varies across platforms. This omission allows a malicious archive to write files outside the intended extraction directory, potentially overwriting critical system files or placing arbitrary content, which could then be leveraged for further compromise.

Affected Systems

Black Lantern Security BBOT is the affected product. The vulnerability manifests on systems that employ GNU tar versions older than 1.34, which includes Ubuntu 20.04, Debian Buster, CentOS 7, and numerous Docker base images. Specific BBOT version numbers are not disclosed in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, and the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. As a result, the vulnerability is not listed in the CISA KEV catalog. The exploit is primarily driven by an attacker supplying a crafted archive to the unarchive module; on vulnerable systems the archive can escape the intended directory, allowing arbitrary file creation or overwriting.

Generated by OpenCVE AI on June 18, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GNU tar to version 1.34 or newer on all affected hosts, including Docker base images.
  • Update Black Lantern Security BBOT to the latest release orplied the unarchive path traversal flaw.
  • Modify the BBOT unarchive module to perform explicit path validation, rejecting any archive entries that resolve to locations outside the designated extraction directory.

Generated by OpenCVE AI on June 18, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vgw-585j-4m45 BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.
Title Path Traversal (Zip-Slip) in unarchive module
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: BLSOPS

Published:

Updated: 2026-06-18T12:51:01.213Z

Reserved: 2026-06-17T21:31:34.919Z

Link: CVE-2026-12565

cve-icon Vulnrichment

Updated: 2026-06-18T12:50:57.312Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')