Technologyglobal✓ verified · 90%

BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284

Name: BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
Start: 2026-06-18T15:02:35Z
Location: Global (internet)

When: 2026-06-18 15:02 UTC
Where: Global (internet)
Category: cyber_advisory · pip

The `unarchive` internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed. On systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images), a malicious archive can write files outside the intended extraction directory.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 15:02 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map