CVE-2026-35592
Path Traversal in pyLoad UnTar Extractor Allows Arbitrary Write
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload-ng_project | pyload-ng | to 0.5.0b3.dev96 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in pyLoad concerns an incomplete fix for a path traversal issue in the _safe_extractall() function within the UnTar.py module. The function attempts to prevent files from being extracted outside the intended directory by checking paths using os.path.commonprefix(), which compares strings at the character level rather than at the directory path level.
Because of this flawed check, a specially crafted tar archive can bypass the protection and write files outside the extraction directory. For example, a malicious archive member with a path like ../some_other_dir/file can be extracted outside the target folder, potentially overwriting files or planting malicious files.
The correct method, os.path.commonpath(), was introduced in a prior fix but was never applied to this function, leaving the vulnerability open until fixed in version 0.5.0b3.dev97.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to write files outside the intended extraction directory, potentially overwriting other users' files or planting malicious files that could lead to code execution.
Such arbitrary file write capabilities could lead to unauthorized modification of data, which may impact the integrity of sensitive information.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to alter files outside designated directories could result in breaches of data integrity and security controls required by these regulations.
Therefore, if pyLoad is used in environments subject to these regulations, this vulnerability could pose a risk to compliance by enabling unauthorized data manipulation or potential exposure.
How can this vulnerability impact me? :
This vulnerability allows an attacker to craft malicious tar archives that, when extracted by pyLoad, can write files outside the intended extraction directory.
- Arbitrary file write outside the extraction directory.
- Overwriting files belonging to other users.
- Planting malicious files in sensitive locations, which could lead to code execution if combined with other attack vectors.
Exploitation requires the victim to download and extract a malicious tar archive using pyLoad with the ExtractArchive addon enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the extraction behavior of pyLoad when handling tar archives, specifically by checking if the _safe_extractall() function uses the insecure os.path.commonprefix() method for path traversal validation instead of the secure os.path.commonpath().
One practical approach is to create or obtain a specially crafted malicious tar archive that attempts to write files outside the intended extraction directory using paths like '../some_directory/evil_file'. Extracting this archive with the vulnerable pyLoad version and monitoring the extraction location can reveal if files are written outside the target directory.
Suggested commands to test detection on a system with pyLoad installed:
- Create a malicious tar archive with a path traversal payload, e.g.:
- tar -cf malicious.tar --transform 's|^|../evil_dir/|' somefile.txt
- Use pyLoad to extract the malicious.tar archive and observe if files are created outside the intended extraction directory.
- Alternatively, inspect the pyLoad source code or installed package files to check if _safe_extractall() still uses os.path.commonprefix() instead of os.path.commonpath() or the secure is_within_directory() function.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade pyLoad to version 0.5.0b3.dev97 or later, where the _safe_extractall() function has been fixed to use the secure is_within_directory() function that relies on os.path.commonpath() for proper path traversal validation.
If upgrading is not immediately possible, apply the recommended code fix by replacing the vulnerable inline _is_within_directory() function in _safe_extractall() with the correct is_within_directory() function from pyload.core.utils.fs.
Additionally, avoid extracting tar archives from untrusted sources using pyLoad until the fix is applied, as exploitation requires user interaction to extract a malicious archive.