osec-2026-08
Vulnerability from osv_ocaml
Published
2026-05-22 20:55
Modified
2026-05-22 20:55
Summary
Path traversal vulnerability in ocaml-tar
Details

A malicious archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file write outside of the desired extraction directory to an attacker that can reach a tar decompression endpoint. In terms of severity, similar vulnerabilities in different ecosystems (python, node, go) have been assigned CVSS scores of 6.8 MEDIUM, 7.1 HIGH, and 8.2 HIGH.

Details

Function Tar_unix.extract uses Filename.concat.

let extract ?(filter = fun _ -> true) ~src dst =
  let f ?global:_ hdr () =
    if filter hdr then
      match hdr.Tar.Header.link_indicator with
      | Tar.Header.Link.Normal ->
        begin match Result.map_error unix_err_to_msg
            (safe Unix.(openfile (Filename.concat dst hdr.Tar.Header.file_name)
                          [ O_WRONLY ; O_CREAT ]) hdr.Tar.Header.file_mode) with
        | Error _ as err -> Tar.return err
        | Ok dst ->
          try copy ~dst_fd:dst (Int64.to_int hdr.Tar.Header.file_size)
          with exn -> safe_close dst; Tar.return (Error (`Exn exn))
        end
        (* TODO set owner / mode / mtime etc. *)
      | _ ->
        (* TODO handle directories, links, etc. *)
        let open Tar.Syntax in
        let* () = Tar.seek (Int64.to_int hdr.Tar.Header.file_size) in
        Tar.return (Ok ())
    else
      let open Tar.Syntax in
      let* () = Tar.seek (Int64.to_int hdr.Tar.Header.file_size) in
      Tar.return (Ok ())
  in
  fold f src ()

Filename.concat does not perform any sanitation:

# Filename.concat "/tmp" "../../../etc/passwd";;
- : string = "/tmp/../../../etc/passwd"

Hence, calling Unix.openfile on such a path will result in opening /etc/passwd.

I only confirmed it in the following setting (see PoC below), and a proper fix would require investigating it in more details:

version targeted: 3.3.0, which seems to be the only version of ocaml-tar. But use of Filename.concat seems to have been there since the beginning.

Impact

This is a path traversal vulnerability that allows an attacker to perform an arbitrary file write outside of the intended extraction directory. Vulnerable users are the users relying on ocaml-tar, which includes (according to the readme of ocaml-tar):

  • xapi (confirmed not vulnerable by maintainers)
  • obuilder

Related CVEs

  • CVE-2007-4559: same problem in python's implementation of tar
  • CVE-2025-0377: similar problem in hashicorp's go implementation of tar
  • CVE-2026-24842: similar problem in node-tar

Fix

The fix is to sanitize paths before calling Unix.openfile. In the presence of symlink support, extra validation is needed.

Timeline

  • 2026-05-07: reported via GitHub (on https://github.com/ocaml/security-advisories)
  • 2025-05-20: initial fix developed and asked for review, also informed xapi and obuilder teams
  • 2025-05-22: fixed tar released, security advisory announced
Severity
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Credits
Quentin Stiévenart
Reynir Björnsson
Anil Madhavapeddy
Hannes Mehnert
To clipboard 

{
  "affected": [
    {
      "ecosystem_specific": {
        "opam_constraint": "tar {\u003c \"3.5.0\"}"
      },
      "package": {
        "ecosystem": "opam",
        "name": "tar",
        "purl": "pkg:opam/tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "51ceb0a15982993503c169b9d84456fd50eabe99"
            }
          ],
          "repo": "https://github.com/mirage/ocaml-tar",
          "type": "GIT"
        }
      ],
      "versions": [
        "0.8.0",
        "0.9.0",
        "1.0.0",
        "1.0.1",
        "1.1.0",
        "2.0.0",
        "2.0.1",
        "2.1.0",
        "2.2.0",
        "2.2.1",
        "2.2.2",
        "2.3.0",
        "2.4.0",
        "2.5.0",
        "2.5.1",
        "2.6.0",
        "3.0.0",
        "3.1.1",
        "3.1.2",
        "3.2.0",
        "3.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45390"
  ],
  "credits": [
    {
      "name": "Quentin Sti\u00e9venart",
      "type": "REPORTER"
    },
    {
      "name": "Reynir Bj\u00f6rnsson",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Anil Madhavapeddy",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Hannes Mehnert",
      "type": "COORDINATOR"
    }
  ],
  "database_specific": {
    "cwe": [
      "CWE-22",
      "CWE-61"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-08.md",
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-08.json"
  },
  "details": "A malicious archive with `../` path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway.\nThe impact is that it allows arbitrary file write outside of the desired extraction directory to an attacker that can reach a tar decompression endpoint. In terms of severity, similar vulnerabilities in different ecosystems (python, node, go) have been assigned CVSS scores of 6.8 MEDIUM, 7.1 HIGH, and 8.2 HIGH.\n\n## Details\n\nFunction `Tar_unix.extract` uses `Filename.concat`.\n\n```OCaml\nlet extract ?(filter = fun _ -\u003e true) ~src dst =\n  let f ?global:_ hdr () =\n    if filter hdr then\n      match hdr.Tar.Header.link_indicator with\n      | Tar.Header.Link.Normal -\u003e\n        begin match Result.map_error unix_err_to_msg\n            (safe Unix.(openfile (Filename.concat dst hdr.Tar.Header.file_name)\n                          [ O_WRONLY ; O_CREAT ]) hdr.Tar.Header.file_mode) with\n        | Error _ as err -\u003e Tar.return err\n        | Ok dst -\u003e\n          try copy ~dst_fd:dst (Int64.to_int hdr.Tar.Header.file_size)\n          with exn -\u003e safe_close dst; Tar.return (Error (`Exn exn))\n        end\n        (* TODO set owner / mode / mtime etc. *)\n      | _ -\u003e\n        (* TODO handle directories, links, etc. *)\n        let open Tar.Syntax in\n        let* () = Tar.seek (Int64.to_int hdr.Tar.Header.file_size) in\n        Tar.return (Ok ())\n    else\n      let open Tar.Syntax in\n      let* () = Tar.seek (Int64.to_int hdr.Tar.Header.file_size) in\n      Tar.return (Ok ())\n  in\n  fold f src ()\n```\n\n`Filename.concat` does not perform any sanitation:\n\n```\n# Filename.concat \"/tmp\" \"../../../etc/passwd\";;\n- : string = \"/tmp/../../../etc/passwd\"\n```\n\nHence, calling `Unix.openfile` on such a path will result in opening `/etc/passwd`.\n\nI only confirmed it in the following setting (see PoC below), and a proper fix would require investigating it in more details:\n\nversion targeted: 3.3.0, which seems to be the only version of ocaml-tar. But use of `Filename.concat` seems to have been there since the beginning.\n\n## Impact\n\nThis is a path traversal vulnerability that allows an attacker to perform an arbitrary file write outside of the intended extraction directory.\nVulnerable users are the users relying on ocaml-tar, which includes (according to the readme of ocaml-tar):\n\n- xapi (confirmed not vulnerable by maintainers)\n- obuilder\n\nRelated CVEs\n\n- CVE-2007-4559: same problem in python\u0027s implementation of tar\n- CVE-2025-0377: similar problem in hashicorp\u0027s go implementation of tar\n- CVE-2026-24842: similar problem in node-tar\n\n## Fix\n\nThe fix is to sanitize paths before calling `Unix.openfile`. In the presence of symlink support, extra validation is needed.\n\n## Timeline\n\n- 2026-05-07: reported via GitHub (on https://github.com/ocaml/security-advisories)\n- 2025-05-20: initial fix developed and asked for review, also informed xapi and obuilder teams\n- 2025-05-22: fixed tar released, security advisory announced",
  "id": "OSEC-2026-08",
  "modified": "2026-05-22T20:55:00Z",
  "published": "2026-05-22T20:55:00Z",
  "references": [],
  "schema_version": "1.7.4",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path traversal vulnerability in ocaml-tar"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.