Plattform
go
Komponente
github.com/zarf-dev/zarf
Behoben in
0.54.1
0.73.1
CVE-2026-29064 describes a symlink vulnerability within Zarf, a tool for deploying Kubernetes applications. This flaw allows an attacker to manipulate symbolic links within archives, potentially enabling them to write files outside the intended destination directory. Versions of Zarf prior to 0.73.1 are affected, and a fix has been released in version 0.73.1.
The core of this vulnerability lies in Zarf's handling of symlinks within archive files. When Zarf extracts archives, it doesn't properly validate the destination directory of symlinks. A malicious actor could craft an archive containing a symlink that, when extracted, overwrites critical files within the Zarf installation or even system files if Zarf is run with elevated privileges. This could lead to arbitrary code execution, denial of service, or compromise of the Kubernetes cluster being managed by Zarf. The potential impact is significant, as it could allow an attacker to gain control over the entire environment.
This vulnerability was publicly disclosed on 2026-03-10. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. The probability of exploitation is currently considered low, but the potential impact warrants immediate attention and patching.
Organizations heavily reliant on Zarf for Kubernetes application deployment are at significant risk. This includes teams using Zarf in CI/CD pipelines, those deploying applications to production environments, and those with limited security controls around file integrity. Shared hosting environments utilizing Zarf are particularly vulnerable due to the potential for cross-tenant exploitation.
• go / binary: Monitor for unusual file creation or modification within the Zarf deployment directory. Use find /path/to/zarf -type f -mmin -60 to identify recently modified files.
• generic web: Inspect Zarf deployment archives for suspicious symlinks using tar -tvf archive.tar | grep '^l' to identify symbolic links.
• linux / server: Use ls -l within the Zarf deployment directory to check for unexpected symlinks pointing outside the intended directory.
disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-29064 is to upgrade Zarf to version 0.73.1 or later, which includes the necessary validation checks. If an immediate upgrade is not feasible, consider restricting write access to the Zarf installation directory to prevent attackers from exploiting the vulnerability. Additionally, carefully scrutinize any archives downloaded from untrusted sources before extracting them with Zarf. There are no specific WAF or proxy rules applicable, as the vulnerability is within the Zarf application itself.
Actualice Zarf a la versión 0.73.1 o superior. Esta versión corrige la vulnerabilidad de path traversal en la extracción de archivos, evitando la creación de enlaces simbólicos fuera del directorio de destino.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-29064 is a high-severity vulnerability in Zarf affecting versions prior to 0.73.1. It allows attackers to manipulate symbolic links within archives, potentially leading to arbitrary code execution.
You are affected if you are using Zarf versions 0.73.0 or earlier. Upgrade to version 0.73.1 or later to resolve this vulnerability.
Upgrade Zarf to version 0.73.1 or later. This version includes the necessary validation checks to prevent the exploitation of symlink targets.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate attention and remediation.
Refer to the official Zarf project repository and release notes for the latest information and advisory regarding CVE-2026-29064.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.