2 matches found
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
Summary The safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...
PT-2025-50230
Name of the Vulnerable Software and Affected Versions Argo Workflows versions 3.6.13 and below Argo Workflows versions 3.7.0 through 3.7.4 Description Argo Workflows, a container-native workflow engine for Kubernetes, has an issue with unsafe untar code that improperly handles symbolic links with...