{"url":"http://public2.vulnerablecode.io/api/packages/222864?format=json","purl":"pkg:nuget/sharpcompress@0.15.2","type":"nuget","namespace":"","name":"sharpcompress","version":"0.15.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.48.0","latest_non_vulnerable_version":"0.48.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41471?format=json","vulnerability_id":"VCID-4hsx-6guk-a3de","summary":"Path Traversal\nSharpCompress is a fully managed C# library to deal with many compression types and formats. SharpCompress has been found to be vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if `ExtractFullPath` is set to true in options. In order to prevent extraction outside the destination directory the `destinationFileName` path is verified to begin with `fullDestinationDirectoryPath`. However, it is not enforced that `fullDestinationDirectoryPath` ends with slash. If the `destinationDirectory` is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed in SharpCompress","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39208","reference_id":"","reference_type":"","scores":[{"value":"0.00432","scoring_system":"epss","scoring_elements":"0.62964","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00432","scoring_system":"epss","scoring_elements":"0.63009","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00432","scoring_system":"epss","scoring_elements":"0.62991","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00432","scoring_system":"epss","scoring_elements":"0.63005","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00432","scoring_system":"epss","scoring_elements":"0.63015","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00432","scoring_system":"epss","scoring_elements":"0.63006","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39208"},{"reference_url":"https://github.com/adamhathcock/sharpcompress","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/commit/ea5c8dc06314c7a5068e7901c51a625224d2b288","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress/commit/ea5c8dc06314c7a5068e7901c51a625224d2b288"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/pull/614","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress/pull/614"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/releases/tag/0.29.0","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress/releases/tag/0.29.0"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-jp7f-grcv-6mjf","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-jp7f-grcv-6mjf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39208","reference_id":"CVE-2021-39208","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39208"},{"reference_url":"https://github.com/advisories/GHSA-jp7f-grcv-6mjf","reference_id":"GHSA-jp7f-grcv-6mjf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jp7f-grcv-6mjf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58997?format=json","purl":"pkg:nuget/sharpcompress@0.29.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nvuh-5fuu-huca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/sharpcompress@0.29.0"}],"aliases":["CVE-2021-39208","GHSA-jp7f-grcv-6mjf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hsx-6guk-a3de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92853?format=json","vulnerability_id":"VCID-nvuh-5fuu-huca","summary":"SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant)\n### Summary\n\nA path traversal vulnerability in `IArchive.WriteToDirectory()` allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the target filesystem subject to the permissions of the running process.\n\n### Details\n\nThe vulnerable code is in the directory-entry branch of `WriteToDirectoryInternal` (sync, `IArchiveExtensions.cs:48–61`) and `WriteToDirectoryAsyncInternal` (async, `IAsyncArchiveExtensions.cs:70–84`):\n\n```csharp\nvar dirPath = Path.Combine(destinationDirectory, entry.Key);\nDirectory.CreateDirectory(Path.GetDirectoryName(dirPath + \"/\"));\n```\n\nNo `Path.GetFullPath()` normalisation and no bounds check are applied before the `Directory.CreateDirectory` call. Two .NET `Path.Combine` behaviours make this exploitable:\n\n- **Relative traversal**: `Path.Combine(\"/safe/extract\", \"../../evil\")` → the OS resolves `..` segments on the raw path, placing the directory outside the extraction root.\n- **Absolute path override**: `Path.Combine(\"/safe/extract\", \"/tmp/evil\")` → returns `\"/tmp/evil\"` — the base is discarded entirely for rooted paths.\n\nFile entries are **not** directly affected — they route through `ExtractionMethods.WriteEntryToDirectory` which applies the correct guard (`GetFullPath` + `StartsWith`, see `ExtractionMethods.cs:54–65`). The directory-entry branch is a separate fast-path that was added without that guard.\n\nAffected archive formats: ZIP and TAR (non-solid). Solid archives and 7-Zip use the reader path which calls the secure method.\n\n#### Escalation to arbitrary file writes (TAR only)\n\n`Path.GetFullPath` on .NET does not resolve symlinks — it only normalises `.` and `..` segments. This means the file-entry guard in `ExtractionMethods.WriteEntryToDirectory` can be bypassed via symlink chaining in TAR archives when the caller supplies a `SymbolicLinkHandler`:\n\n```csharp\narchive.WriteToDirectory(\"/safe/extract\", new ExtractionOptions\n{\n    ExtractFullPath = true,\n    SymbolicLinkHandler = (linkPath, linkTarget) =>\n        File.CreateSymbolicLink(linkPath, linkTarget)  // naive — no validation of linkTarget\n});\n```\n\nAttack sequence in a single TAR archive:\n\n1. **Symlink entry** — `link` → `../evil_outside/`\n   The `SymbolicLinkHandler` creates `/safe/extract/link` pointing outside the extraction root.\n\n2. **File entry** — `link/secret.txt`\n   `ExtractionMethods.WriteEntryToDirectory` computes:\n   - `destdir = Path.GetFullPath(\"/safe/extract/link\")` → `\"/safe/extract/link\"` — textually inside root, check passes ✓\n   - `File.Open(\"/safe/extract/link/secret.txt\")` — OS follows symlink, file is written to `/evil_outside/secret.txt`\n\nThe library does not validate `linkTarget` before passing it to the caller's handler, and the XML docs do not warn that it may be a traversal path. The idiomatic handler implementation above is therefore silently exploitable.\n\nZIP does not support symlinks in SharpCompress (`ZipEntry.LinkTarget` always returns `null`), so this escalation is TAR-only.\n\n| Attack | ZIP | TAR |\n|--------|-----|-----|\n| Directory traversal (escape extraction root) | Yes | Yes |\n| Escalate to arbitrary file writes via symlink chain | No | Yes (if caller provides `SymbolicLinkHandler`) |\n\n**Recommended fix** — apply the same pattern from `ExtractionMethods.WriteEntryToDirectory` to both affected files:\n\n```csharp\nvar fullDestDir = Path.GetFullPath(destinationDirectory);\nif (!fullDestDir.EndsWith(Path.DirectorySeparatorChar))\n    fullDestDir += Path.DirectorySeparatorChar;\n\nvar dirPath = Path.GetFullPath(Path.Combine(fullDestDir, entry.Key));\nif (!dirPath.StartsWith(fullDestDir, PathComparison))\n    throw new ExtractionException(\n        \"Entry is trying to create a directory outside of the destination directory.\");\n\nDirectory.CreateDirectory(dirPath);\n```\n\nAdditionally, the library should validate `LinkTarget` before invoking the caller's `SymbolicLinkHandler`, or document clearly that callers must validate it themselves.\n\n### PoC\n\nA self-contained .NET console app is available at:\n`https://github.com/svenclaesson/poc-sharpcompress-traversal`\n\n```\ngit clone https://github.com/svenclaesson/poc-sharpcompress-traversal\ncd poc-sharpcompress-traversal\ndotnet run\n```\n\nThe PoC crafts a ZIP with three directory entries (`../../escaped_relative/`, `/tmp/escaped_absolute/`, `safe_subdir/`) using `System.IO.Compression` (stdlib), then extracts with SharpCompress. Output shows `[ESCAPED]` for the two malicious entries and `[ok]` for the legitimate one, on both sync and async APIs.\n\nTested against SharpCompress 0.47.4 (latest NuGet).\n\n### Impact\n\nThis is a path traversal / zip slip vulnerability (CWE-22). Any application that calls `archive.WriteToDirectory()` on an untrusted archive is affected — which covers the primary documented extraction API.\n\nFor ZIP archives the impact is limited to arbitrary directory creation, which can be used to stage privilege escalation (e.g. cron drop-ins, XDG config paths, service spool directories) or shadow expected paths to alter application behaviour.\n\nFor TAR archives, callers that implement a `SymbolicLinkHandler` — which is the only way to faithfully restore a TAR — are exposed to a full arbitrary file write primitive via the symlink chaining described above.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44788","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01845","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01867","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01872","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01864","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01853","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44788"},{"reference_url":"https://github.com/adamhathcock/sharpcompress","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-6c8g-7p36-r338","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T12:46:10Z/"}],"url":"https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-6c8g-7p36-r338"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44788","reference_id":"CVE-2026-44788","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44788"},{"reference_url":"https://github.com/advisories/GHSA-6c8g-7p36-r338","reference_id":"GHSA-6c8g-7p36-r338","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6c8g-7p36-r338"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1154353?format=json","purl":"pkg:nuget/sharpcompress@0.48.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/sharpcompress@0.48.0"}],"aliases":["CVE-2026-44788","GHSA-6c8g-7p36-r338"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nvuh-5fuu-huca"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40112?format=json","vulnerability_id":"VCID-rrqx-3s5a-d3fj","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nSharpCompress is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1002206","reference_id":"","reference_type":"","scores":[{"value":"0.02504","scoring_system":"epss","scoring_elements":"0.85643","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02504","scoring_system":"epss","scoring_elements":"0.85621","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02504","scoring_system":"epss","scoring_elements":"0.85642","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02504","scoring_system":"epss","scoring_elements":"0.85648","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02504","scoring_system":"epss","scoring_elements":"0.85644","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02504","scoring_system":"epss","scoring_elements":"0.85629","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1002206"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/commit/42b1205fb435de523e6ef8ac5b7bafbe712997f6","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress/commit/42b1205fb435de523e6ef8ac5b7bafbe712997f6"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/commit/80ceb1c375fdb1b4ffba16528c99089e804ce61f","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress/commit/80ceb1c375fdb1b4ffba16528c99089e804ce61f"},{"reference_url":"https://github.com/adamhathcock/sharpcompress/pull/374","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/adamhathcock/sharpcompress/pull/374"},{"reference_url":"https://github.com/snyk/zip-slip-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/snyk/zip-slip-vulnerability"},{"reference_url":"https://snyk.io/research/zip-slip-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/research/zip-slip-vulnerability"},{"reference_url":"https://snyk.io/vuln/SNYK-DOTNET-SHARPCOMPRESS-60246","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-DOTNET-SHARPCOMPRESS-60246"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1002206","reference_id":"CVE-2018-1002206","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1002206"},{"reference_url":"https://github.com/advisories/GHSA-fxh6-w476-hgr4","reference_id":"GHSA-fxh6-w476-hgr4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxh6-w476-hgr4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56166?format=json","purl":"pkg:nuget/sharpcompress@0.21.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4hsx-6guk-a3de"},{"vulnerability":"VCID-nvuh-5fuu-huca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/sharpcompress@0.21.0"}],"aliases":["CVE-2018-1002206","GHSA-fxh6-w476-hgr4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rrqx-3s5a-d3fj"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:nuget/sharpcompress@0.15.2"}