Description
In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint).
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OCaml‑tar before version 3.4.0 accepts archives that contain '../' path segments in member names. When extracted, the library writes the files outside the target directory, allowing an attacker who can submit a crafted tar archive to an extraction endpoint to overwrite arbitrary files. This directory traversal flaw (CWE‑22) may lead to arbitrary file writes.

Affected Systems

Any installation of the OCaml‑tar library older than version 3.4.0 is vulnerable. The flaw appears in all builds where relative path components are honored during extraction. Systems exposing a tar decompression API or command‑line interface to untrusted clients are affected. Vendor and product details beyond the library name are not provided.

Risk and Exploitability

The CVSS score of 9.1 marks this issue as critical, and the EPSS score of less than 1% indicates that exploit attempts are currently very rare. The flaw is not listed in CISA's KEV catalogue, implying no widespread exploitation yet. The likely attack vector is remote: an attacker who can send a crafted archive to a decompression endpoint can trigger the traversal. If the service runs with elevated permissions, the resulting file writes could compromise system integrity and, if exploited further, facilitate remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ocaml‑tar to version 3.4.0 or later, which removes support for '../' path segments during extraction.
  • Validate extraction target paths before writing, ensuring that all resolved paths remain inside the intended directory.
  • Limit file write permissions for the process performing the extraction to the minimum required, preventing unauthorized file creation outside the target directory.
  • If an upgrade is not immediately possible, restrict access to any tar decompression endpoints or run the extraction in a sandboxed environment with filesystem confinement.

Generated by OpenCVE AI on June 18, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Ocaml
Ocaml ocaml
Vendors & Products Ocaml
Ocaml ocaml

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Directory Traversal in OCaml‑tar Enables Arbitrary File Writes

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Directory Traversal in OCaml‑tar Enables Arbitrary File Writes

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint).
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:02:18.195Z

Reserved: 2026-05-12T00:00:00.000Z

Link: CVE-2026-45390

cve-icon Vulnrichment

Updated: 2026-06-16T14:01:53.043Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:28.587

Modified: 2026-06-16T15:35:16.600

Link: CVE-2026-45390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:27Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')