CVE-2026-32771: Monitoring is vulnerable to Archive Slip due to missing checks in sanitization
(updated )
The sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI tool or the extract.DumpOTelCollector library function.
References
- github.com/advisories/GHSA-f7cq-gvh6-qr25
- github.com/ctfer-io/monitoring
- github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a
- github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25
- nvd.nist.gov/vuln/detail/CVE-2026-32771
- security.snyk.io/research/zip-slip-vulnerability
Code Behaviors & Features
Detect and mitigate CVE-2026-32771 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →