Description
SharpCompress is a fully managed C# library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory() allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the target filesystem subject to the permissions of the running process.
Published: 2026-05-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SharpCompress’s IArchive.WriteToDirectory() implementation allows a malicious archive to create directories outside the intended extraction root, a classic path traversal flaw. In the case of TAR archives the flaw can be amplified by chaining a symlink entry to perform arbitrary file writes, giving the running process a write primitive on the target filesystem. This can lead to overwriting critical files or placing malicious payloads when the extraction runs with elevated privileges, thereby granting an attacker unauthorized modification rights to the system.

Affected Systems

The vulnerable product is the SharpCompress library from adamhathcock, used in .NET applications. All releases up to and including version 0.47.4 are affected. Any application that references those versions and processes archives via WriteToDirectory() could be compromised.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS is not available, so no concrete exploitation probability can be given, and the flaw is not in CISA’s KEV catalog. The attack vector is likely local or remote depending on whether the application accepts user supplied archives. If the application runs as a privileged user, the chained symlink attack grants a full write primitive, which could be used to compromise the host. The lack of a known public exploit means risk depends on the attack surface provided by each deployment, but the moderate score signals that patching should be prioritized.

Generated by OpenCVE AI on May 26, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SharpCompress to the latest released version that includes the patch (0.48.0 or newer).
  • If updating immediately is not possible, run the extraction under the least privileged account and restrict the destination directory to a dedicated, low‑privilege location.
  • As a temporary safeguard, disable symlink resolution and ignore any archive entry that attempts to write outside the extraction root during TAR extraction.
  • Validate all archive entry names against the intended extraction root before calling WriteToDirectory() and reject any entry containing absolute paths or traversal sequences.

Generated by OpenCVE AI on May 26, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6c8g-7p36-r338 SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant)
History

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sharpcompress_project:sharpcompress:*:*:*:*:*:*:*:* cpe:2.3:a:adamhathcock:sharpcompress:*:*:*:*:*:*:*:*
Vendors & Products Sharpcompress Project
Sharpcompress Project sharpcompress

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Sharpcompress Project
Sharpcompress Project sharpcompress
CPEs cpe:2.3:a:sharpcompress_project:sharpcompress:*:*:*:*:*:*:*:*
Vendors & Products Sharpcompress Project
Sharpcompress Project sharpcompress

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Adamhathcock
Adamhathcock sharpcompress
Vendors & Products Adamhathcock
Adamhathcock sharpcompress

Tue, 26 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description SharpCompress is a fully managed C# library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory() allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the target filesystem subject to the permissions of the running process.
Title SharpCompress: Directory traversal via directory entries in WriteToDirectory (zip slip variant)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L'}

Subscriptions

Adamhathcock Sharpcompress
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T12:46:16.036Z

Reserved: 2026-05-07T19:20:44.691Z

Link: CVE-2026-44788

cve-icon Vulnrichment

Updated: 2026-05-27T12:46:01.510Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T22:16:42.587

Modified: 2026-06-05T18:10:59.450

Link: CVE-2026-44788

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:08:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')