GHSA-923j-vrcg-hxwh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-923j-vrcg-hxwh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-923j-vrcg-hxwh/GHSA-923j-vrcg-hxwh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-923j-vrcg-hxwh
- Aliases
- Published
- 2026-01-29T22:05:15Z
- Modified
- 2026-02-03T03:03:33.566595Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- malcontent vulnerable to symlink Path Traversal via handleSymlink argument confusion in archive extraction
- Details
-
malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The
handleSymlinkfunction received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory.Fixes: - Swap handleSymlink arguments; validate symlink location - Validate symlink targets resolve within extraction directory
Acknowledgements
Thank you to Oleh Konko from 1seal for discovering and reporting this issue.
- Database specific
{ "nvd_published_at": "2026-01-29T22:15:54Z", "cwe_ids": [ "CWE-22", "CWE-683" ], "github_reviewed_at": "2026-01-29T22:05:15Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh
- https://nvd.nist.gov/vuln/detail/CVE-2026-24846
- https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96
- https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017
- https://github.com/chainguard-dev/malcontent
Affected packages
Go / github.com/chainguard-dev/malcontent
Package
- Name
- github.com/chainguard-dev/malcontent
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/chainguard-dev/malcontent