Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result without checking whether the resolved path stayed under the destination. A zip entry named ../../tmp/evil therefore landed at /tmp/evil. An attacker who could control a Package.Spec.Source.URL or Deployment.URL archive could induce the fetcher (running as the per-environment pod's fission-fetcher sidecar) to write files anywhere that process could reach: into other tenants' /packages/<ns>/ directories, into mounted secret/config volumes, or into the fetcher's own binary. This issue has been patched in version 1.25.0.
Published: 2026-06-10
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic zip slip flaw in the Unarchive function of fission’s pkg/utils/zip.go. The function concatenates each archive entry name to the destination directory without validating that the resolved path remains within that directory. Consequently, an attacker who can supply the archive URL used by the fission‑fetcher sidecar could craft entries such as ../../tmp/evil, causing files to be written as /tmp/evil. This results in remote write access that may overwrite configuration files, secret volumes, or files in other tenants’ packaging directories on the host node, potentially leading to privilege escalation or severe data corruption.

Affected Systems

The flaw exists in all versions of the fission framework released before 1.25.0. The issue operates when the fetcher sidecar, running as a per‑environment pod, downloads a Package.Spec.Source.URL or Deployment.URL archive that the attacker can control. Users running any vulnerable fission installation, regardless of cluster configuration, are affected.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity level. The EPSS score is not available, suggesting that currently known exploit activity is not high, but the flaw remains serious due to its impact. The flaw is not listed in the CISA KEV catalog. Exploitation would typically require an attacker to supply a malicious zip archive to a fetcher pod, which has local host and write privileges. In a multi‑tenant Kubernetes environment, this could allow lateral movement and compromise of other namespaces, including secret and config map volumes. If the fetcher sidecar is running with elevated privileges, the attacker could also overwrite files necessary for the fission runtime or other pods. The attack vector is local but relies on the fetcher’s ability to fetch arbitrary URLs, making it a potentially critical vector in exposed environments.

Generated by OpenCVE AI on June 10, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the fission framework to version 1.25.0 or later to apply the fix for the zip slip vulnerability.
  • If an upgrade cannot be performed immediately, restrict the package source URLs so that the fetcher only downloads archives from a trusted, internal registry and validate the archive contents before extraction.
  • Configure the fetcher pod to run with the least privilege, ensuring that write‑access to system volumes is restricted to read‑only or is otherwise tightly controlled.

Generated by OpenCVE AI on June 10, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result without checking whether the resolved path stayed under the destination. A zip entry named ../../tmp/evil therefore landed at /tmp/evil. An attacker who could control a Package.Spec.Source.URL or Deployment.URL archive could induce the fetcher (running as the per-environment pod's fission-fetcher sidecar) to write files anywhere that process could reach: into other tenants' /packages/<ns>/ directories, into mounted secret/config volumes, or into the fetcher's own binary. This issue has been patched in version 1.25.0.
Title Fission: Zip Slip in pkg/utils/zip.go:Unarchive allows fetcher to write outside the destination directory
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T19:30:59.121Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50567

cve-icon Vulnrichment

Updated: 2026-06-10T19:14:12.436Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:13.197

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses