Patool before 4.0.5 contains a path traversal vulnerability in the safe_extract() function in patoolib/programs/py_tarfile.py when running on Python before 3.12, where the is_within_directory() helper uses os.path.commonprefix() for character-level string comparison instead of path-level comparison, allowing a crafted archive member path to bypass the containment check. Attackers can supply a malicious archive with specially crafted member paths to write arbitrary files.
References
Configurations
No configuration.
History
26 Jun 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 20:16
Updated : 2026-06-27 04:17
NVD link : CVE-2026-29509
Mitre link : CVE-2026-29509
CVE.ORG link : CVE-2026-29509
JSON object : View
Products Affected
No product.
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
