bbot unarchive module path traversal risk with old GNU tar
The unarchive module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.
What changed
The unarchive module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extraction path traversal was never fixed.
Who it affects
Users on systems with GNU tar < 1.34 (Ubuntu 20.04, Debian Buster, CentOS 7, many Docker base images) who use the unarchive module to extract archives from untrusted sources.
What to do today
Update GNU tar to version 1.34 or later, or implement input validation on extracted file paths in the unarchive module.