Skip to content

v10.2.1

Choose a tag to compare

@XhmikosR XhmikosR released this 30 May 15:59

Backport the v11.1.3 security fixes to v10.x:

  • Validate symlink and hardlink targets against the output directory
  • Replace the prefix-based containment check with path.relative, fixing a sibling-directory bypass
  • Strip setuid, setgid, and sticky bits from extracted files

Advisory: GHSA-mp2f-45pm-3cg9 (CVE-2026-53486)

Full Changelog: v10.2.0...v10.2.1