GHSA-f7cq-gvh6-qr25: Monitoring is vulnerable to Archive Slip due to missing checks in sanitization

March 16, 2026

The sanitizeArchivePath function in pkg/extract/extract.go (lines 248–254) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI tool or the extract.DumpOTelCollector library function.

References

github.com/advisories/GHSA-f7cq-gvh6-qr25
github.com/ctfer-io/monitoring
github.com/ctfer-io/monitoring/commit/269dba165aa42210352628c0db6756f3b8fd3c8a
github.com/ctfer-io/monitoring/security/advisories/GHSA-f7cq-gvh6-qr25

Code Behaviors & Features

Detect and mitigate GHSA-f7cq-gvh6-qr25 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →