CVE-2026-33056: tar-rs `unpack_in` can chmod arbitrary directories by following symlinks
(updated )
When unpacking a tar archive, the tar crate’s unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.
References
- github.com/advisories/GHSA-j4xf-2g29-59ph
- github.com/alexcrichton/tar-rs
- github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446
- github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
- nvd.nist.gov/vuln/detail/CVE-2026-33056
- rustsec.org/advisories/RUSTSEC-2026-0067.html
Code Behaviors & Features
Detect and mitigate CVE-2026-33056 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →