github.com/u-root/u-root/pkg/cpio is susceptible to arbitrary file write. The vulnerability exists because it uses filepath.Join
without properly handling the file path for character /
before performing cpio file extraction, therefore going out of the destination directory.