Dokku, a docker-based PaaS platform, processes user-supplied tar and zip archives in the git:from‑archive and certs:add commands without sanitizing the paths of archive members or preventing symlink traversal. The absence of path validation allows a malicious archive to contain a symlink pointing to an arbitrary target. During extraction, GNU tar follows the symlink and writes subsequent entries to the specified location. As a consequence, an attacker can write arbitrary files wherever the dokku user can write, including overwriting the ~/.ssh/authorized_keys file to inject their public key and obtain an unrestricted shell.

The flaw exists in dokku versions earlier than 0.38.2. The integrity of installations running those releases is compromised, regardless of the underlying operating system. Users managing any dokku instance that may execute git:from‑archive or certs:add from external sources or untrusted archives are affected.

The CVSS score of 9.0 reflects an exploit that can modify application state and potentially allow credential abuse. EPSS is not available, but the high severity coupled with the ability to write arbitrary files places this vulnerability in a high‑risk category. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user who can run the vulnerable Dokku commands, implying access to the Dokku console or CLI. An attacker can prepare a crafted archive and trigger the faulty extraction, then immediately modify authorized_keys or other writable files to establish persistent shell access.