Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29064 is a path traversal vulnerability in the Zarf package manager for Kubernetes, affecting versions from 0.54.0 up to but not including 0.73.1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs during archive extraction when the software creates symbolic links (symlinks) from archive entries without verifying that these symlinks point inside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'An attacker can craft a malicious Zarf package containing symlinks that point outside the destination directory, allowing arbitrary file reads or writes on the system processing the package.'}, {'type': 'paragraph', 'content': 'This is a symlink variant of the "Zip Slip" vulnerability class, where improper validation of file paths allows escaping the extraction root directory.'}, {'type': 'paragraph', 'content': 'The issue has been fixed in version 0.73.1.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to read or write arbitrary files on the system where the Zarf package is being extracted.

By exploiting the path traversal via crafted symlinks, an attacker could overwrite critical system files, potentially leading to system compromise.

Although the vulnerability does not directly enable code execution, overwriting executable files could lead to remote code execution or privilege escalation.

The risk is especially relevant if you process Zarf packages from untrusted or semi-trusted sources, such as external file transfers, registries, or organizational sharing.

Users who only process fully trusted packages are less at risk, but upgrading to the patched version 0.73.1 is strongly recommended.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting Zarf packages or archives for symlinks that point outside the intended extraction directory. Specifically, look for symbolic links within the archive whose targets contain path traversal sequences such as ".." that escape the extraction root.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves extracting a malicious tar.gz archive containing a symlink named "escape-link" pointing to a path like "../../../../../../../etc/shadow". Detecting such symlinks in archives before extraction can help identify the vulnerability.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious symlinks in tar archives include:'}, {'type': 'list_item', 'content': "List symlinks in a tar archive and their targets: `tar -tvf archive.tar.gz | grep '^l'`"}, {'type': 'list_item', 'content': 'Extract the archive in a safe environment and check for symlinks pointing outside the extraction directory by examining the symlink targets for ".." sequences.'}, {'type': 'list_item', 'content': 'Use a script or tool to validate that all symlink targets remain within the intended extraction directory.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Zarf to version 0.73.1 or later, where this path traversal vulnerability has been fixed.

Until the upgrade can be applied, only process Zarf packages or archives from fully trusted sources to reduce the risk of exploitation.

There is no need to rebuild previously created packages as the vulnerability affects only the extraction process.

Useful 0 Not Useful 0