Impact
Junrar, the open-source Java RAR extraction library, contains a backslash path‑traversal flaw in its LocalFolderExtractor component. The flaw bypasses backslash handling on Linux/Unix, permitting an attacker to instruct the library to write any file with attacker‑controlled content to any arbitrary location on the filesystem when a crafted RAR archive is extracted. Because the library writes files without validating the target path, the vulnerability is an arbitrary file write (CWE‑22). If the crafted archive contains malicious scripts or binaries, overwriting configuration, shell profiles, source files, or cron jobs can lead to remote code execution.
Affected Systems
The issue affects all versions of the open‑source Junrar library before the 7.5.8 release. Junrar version 7.5.8 and later contain the fix. Any Java application that uses Junrar for archive extraction on a Linux or Unix system is susceptible if it is using an older version.
Risk and Exploitability
The vulnerability scores 5.9 on the CVSS scale and carries an EPSS rating of 12 %, indicating a moderate risk of exploitation. It is not listed in CISA’s KEV catalog, suggesting no known large‑scale exploit activity. Exploitation requires an attacker to supply a malicious RAR archive to a process that performs extraction, which is more likely in environments where users or services routinely handle untrusted archives.
OpenCVE Enrichment
Github GHSA