प्लेटफ़ॉर्म
go
घटक
zarf
में ठीक किया गया
0.23.1
0.74.2
CVE-2026-40090 describes a Path Traversal vulnerability within the zarf package inspect sbom and zarf package inspect documentation subcommands. This flaw allows attackers to potentially read arbitrary files on the system by crafting malicious packages. The vulnerability affects Zarf versions 0.23.0 up to, but not including, version 0.74.2. A fix has been released in version 0.74.2.
The vulnerability lies in how Zarf constructs output file paths when inspecting packages. Specifically, the Metadata.Name field, which is attacker-controlled data read from the package archive, is used to build the output file path. While this field undergoes regex validation during package creation (^[a-z0-9][a-z0-9\-]*$), it doesn't prevent an attacker from crafting a malicious package that, when inspected, leads to the creation of files in unexpected locations. An attacker could leverage this to read sensitive configuration files, source code, or other data from the system running Zarf. The blast radius is limited to the system executing the zarf command, but the potential for data exposure is significant.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available as of the publication date. The CVSS score of 7.1 (HIGH) indicates a moderate probability of exploitation, particularly given the ease of package creation. The vulnerability was disclosed on 2026-04-14.
Developers and DevOps engineers who utilize Zarf for package management and inspection are at risk. Specifically, those who routinely inspect packages from untrusted sources or those who have not implemented robust package signing policies are particularly vulnerable. Shared hosting environments where multiple users share the same Zarf installation could also be affected.
• linux / server:
find / -type f -name '*Metadata.Name*' -print• go / supply-chain: Inspect Go module dependencies for suspicious packages or versions. • generic web: Monitor Zarf logs for unusual file creation paths during package inspection. Look for patterns that deviate from expected behavior.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (14% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade Zarf to version 0.74.2 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, a temporary workaround is to avoid inspecting unsigned packages. This significantly reduces the attack surface by preventing the inspection of potentially malicious artifacts. Consider implementing stricter package signing policies to ensure that only trusted packages are inspected. There are no specific WAF or proxy rules that directly address this vulnerability, as it's a local command execution issue. Detection signatures are challenging to create without specific file path patterns, but monitoring for unusual file creation activity during package inspection could be beneficial.
Actualice Zarf a la versión 0.74.2 o superior para mitigar la vulnerabilidad de escritura de archivos arbitrarios. Esta versión corrige el problema validando adecuadamente la entrada del usuario y evitando la manipulación de la ruta del archivo.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-40090 is a Path Traversal vulnerability in Zarf affecting versions 0.23.0 through 0.74.1. It allows attackers to read arbitrary files by crafting malicious packages.
You are affected if you are using Zarf versions 0.23.0 to 0.74.1. Upgrade to version 0.74.2 or later to resolve the issue.
Upgrade Zarf to version 0.74.2 or later. As a temporary workaround, avoid inspecting unsigned packages.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the Zarf project's repository and release notes for the official advisory and details on the fix: [https://github.com/zarf-dev/zarf](https://github.com/zarf-dev/zarf)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।