Executive Summary

CVE-2026-41245 is a path traversal vulnerability in the LocalFolderExtractor component of the junrar Java library used for extracting RAR archives. Before version 7.5.10, the library improperly validated file paths during extraction, allowing an attacker to craft a malicious RAR archive that writes files outside the intended extraction directory. This happens because the methods responsible for creating directories and files checked if the extracted file path started with the target directory path, but this check could be bypassed using relative path elements like ".." to escape the target folder.

The vulnerability allows an attacker to place arbitrary files with attacker-controlled content into sibling directories outside the extraction folder, potentially overwriting or adding files in unintended locations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to write arbitrary files outside the intended extraction directory when you extract a crafted RAR archive using the vulnerable junrar library. This can lead to unauthorized modification or creation of files in sibling directories, potentially overwriting important files or placing malicious files on your system.

The integrity of your system or application can be compromised because the attacker can control the content of these files, which may lead to further exploitation or disruption.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying attempts to extract crafted RAR archives that contain file paths designed to escape the intended extraction directory.

Specifically, look for extraction operations where file paths include relative path elements like ".." that lead to sibling directories outside the target extraction folder.

One practical approach is to monitor logs or processes that handle RAR extraction for suspicious file paths or errors indicating invalid extraction paths.

Since the vulnerability is related to path traversal during extraction, you can also test your system by attempting to extract a crafted RAR archive similar to the test resource named "sibling-prefix-traversal.rar" used in the fix.

While no specific commands are provided in the resources, you can use standard archive extraction commands (e.g., using junrar CLI or Java code invoking junrar) to attempt extraction and observe if exceptions or errors occur indicating invalid paths.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the junrar library to version 7.5.10 or later, where the vulnerability has been fixed.

This update includes enhanced path validation in the LocalFolderExtractor component that prevents files from being extracted outside the intended directory.

If upgrading immediately is not possible, avoid extracting untrusted or suspicious RAR archives using vulnerable versions of junrar.

Additionally, monitor extraction processes for exceptions or errors related to invalid paths, which may indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to write arbitrary files with attacker-controlled content into sibling directories outside the intended extraction directory, which can lead to unauthorized modification of files.

This unauthorized file modification could impact the integrity of data, which is a critical aspect of compliance with standards such as GDPR and HIPAA that require protection of data integrity and prevention of unauthorized data alteration.

However, there is no direct information provided about specific compliance impacts or regulatory violations caused by this vulnerability.

Useful 0 Not Useful 0