Description
Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Patool versions prior to 4.0.5 contain a path traversal flaw where the safe_extract() function uses character‑level prefix checking to verify that extracted files remain within a target directory. When a malicious archive includes crafted member paths, the containment check can be bypassed, allowing the attacker to write files anywhere on the filesystem. This capability can be used to inject malicious binaries, or modify configuration files, potentially leading to escalation of privileges or remote code execution.

Affected Systems

The vulnerability affects the Patool archive handling library distributed by wummel. All releases older than 4.0.5 are vulnerable. The issue is triggered when running Patool under Python versions prior to 3.12, and is mitig.0.5 and later releases.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires local execution of Patool with the ability to provide a crafted archive, so the likely vector is a local or privileged user. If Patool is invoked as part of an automated service that processes untrusted archives, the risk of exploitation increases substantially. Once exploited, arbitrary file writes can confidentiality, facilitating further attacks.

Generated by OpenCVE AI on June 26, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Patool to version 4.0.5 or later, which replaces the unsafe commonprefix() check with a proper path comparison.
  • Ensure that Patool is executed under Python 3.12 or newer, as newer Python releases improve path handling semantics.
  • When upgrading is not immediately possible, isolate the extraction process in a sandboxed or dedicated environment and audit any files written during extraction for known benign patterns.

Generated by OpenCVE AI on June 26, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
Title Patool < 4.0.5 Path Traversal via safe_extract() Function
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-27T03:03:25.595Z

Reserved: 2026-03-04T15:39:26.871Z

Link: CVE-2026-29509

cve-icon Vulnrichment

Updated: 2026-06-27T03:03:21.248Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')