Skip to content

v11.1.3

Latest

Choose a tag to compare

@XhmikosR XhmikosR released this 30 May 15:59

Security

Fixes a crafted archive being able to read or write files outside the extraction directory:

  • Validate symlink and hardlink targets against the output directory
  • Replace the prefix-based containment check with path.relative, fixing a sibling-directory bypass
  • Strip setuid, setgid, and sticky bits from extracted files

Advisory: GHSA-mp2f-45pm-3cg9 (CVE-2026-53486)

Other changes

  • Write regular files before hardlinks so a hardlink to an extracted file resolves
  • Internal refactoring of the extraction code

Full changelog: v11.1.2...v11.1.3