Impact
OCaml‑tar before version 3.4.0 accepts archives that contain '../' path segments in member names. When extracted, the library writes the files outside the target directory, allowing an attacker who can submit a crafted tar archive to an extraction endpoint to overwrite arbitrary files. This directory traversal flaw (CWE‑22) may lead to arbitrary file writes.
Affected Systems
Any installation of the OCaml‑tar library older than version 3.4.0 is vulnerable. The flaw appears in all builds where relative path components are honored during extraction. Systems exposing a tar decompression API or command‑line interface to untrusted clients are affected. Vendor and product details beyond the library name are not provided.
Risk and Exploitability
The CVSS score of 9.1 marks this issue as critical, and the EPSS score of less than 1% indicates that exploit attempts are currently very rare. The flaw is not listed in CISA's KEV catalogue, implying no widespread exploitation yet. The likely attack vector is remote: an attacker who can send a crafted archive to a decompression endpoint can trigger the traversal. If the service runs with elevated permissions, the resulting file writes could compromise system integrity and, if exploited further, facilitate remote code execution.
OpenCVE Enrichment