GHSA-6rxq-q92g-4rmf

Suggest an improvement
Source
https://github.com/advisories/GHSA-6rxq-q92g-4rmf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6rxq-q92g-4rmf/GHSA-6rxq-q92g-4rmf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6rxq-q92g-4rmf
Aliases
Published
2026-03-01T01:28:02Z
Modified
2026-03-04T15:11:23.886232Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
kaniko has tar archive path traversal in its build context extraction, allowing file writes outside destination directories
Details

kaniko unpacks build context archives using filepath.Join(dest, cleanedName) without enforcing that the final path stays within dest. A tar entry like ../outside.txt escapes the extraction root and writes files outside the destination directory. In environments with registry authentication, this can be chained with docker credential helpers to achieve code execution within the executor process. Affected versions >= 1.25.4, <= 1.25.9.

Fix: Merged with PR #326 — uses securejoin for path resolution in tar extraction.

Acknowledgements

kaniko thanks Oleh Konko from 1seal for discovering and reporting this issue.

Database specific 
{
    "nvd_published_at": "2026-02-27T22:16:23Z",
    "github_reviewed_at": "2026-03-01T01:28:02Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH"
}
References

Affected packages

Go / github.com/chainguard-dev/kaniko

Package

Name
github.com/chainguard-dev/kaniko
View open source insights on deps.dev
Purl
pkg:golang/github.com/chainguard-dev/kaniko

Affected ranges

Type
SEMVER
Events
Introduced
1.25.4
Fixed
1.25.10

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6rxq-q92g-4rmf/GHSA-6rxq-q92g-4rmf.json"