Relative Path Traversal in libzypp Before 17.38.10

Executive Summary

CVE-2026-25707 is a security vulnerability in the libzypp library, which is used for package management in openSUSE and SUSE Linux systems. The vulnerability arises from improper handling of repository metadata entries that contain relative path traversal sequences such as "../". This flaw allows remote attackers who supply malicious repository metadata to cause libzypp to write files outside the intended local cache directory.

Specifically, libzypp combines the repository's base URL with the package location to determine where to store files locally. If the metadata contains crafted relative paths, it can escape the cache directory and overwrite arbitrary files on the system.

The vulnerability was fixed by introducing sanitization mechanisms that detect and discard such malicious path entries, ensuring only valid repository-local paths are processed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including denial of service and privilege escalation on affected systems.

• An attacker can overwrite arbitrary local files, including critical system configuration files such as /etc/passwd.
• Overwriting system files can lead to system instability or denial of service.
• Privilege escalation may occur if the attacker replaces or modifies files that control system permissions or authentication.
• If malicious repository metadata is signed with a trusted key, the system might skip signature verification, allowing the attack to succeed without detection.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for warnings generated by libzypp when it encounters suspicious repository metadata entries containing relative path traversal sequences such as "../".

Since the fix introduces sanitization that logs warnings for hostile locations, checking system logs for such warnings can help identify attempts to exploit this vulnerability.

Additionally, inspecting repository metadata files for relative path traversal patterns can be done using commands like:

• grep -r '\.\./' /var/cache/zypp/ or the directory where repository metadata is stored
• journalctl -u package-management-service | grep -i 'sanitizeEntry' or 'warning' to find logged warnings related to path traversal

Network detection could involve monitoring repository metadata downloads for suspicious path traversal sequences in the metadata content.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update libzypp to version 17.38.5 or later, where the vulnerability has been fixed by sanitizing repository metadata paths to prevent directory traversal.

If updating immediately is not possible, avoid using untrusted or unsigned repositories, as malicious metadata from these sources can exploit the vulnerability.

Review and restrict repository configurations to trusted sources only, and monitor system logs for warnings about suspicious repository metadata entries.

Apply any available security updates released by SUSE for affected products such as SUSE Linux Enterprise Server, SUSE Linux Micro, and openSUSE Leap.

Useful 0 Not Useful 0