Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
junrar: Attackers can write files to any directory
GHSA-hf5p-q87m-crj7
Summary
The junrar software has a bug that lets attackers write files to any directory on your computer if they send a special kind of RAR file. This could be used to spread malware or steal sensitive data. Update your software to fix this issue.
What to do
- Update github com.github.junrar:junrar to version 7.5.10.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Maven | github | com.github.junrar:junrar |
< 7.5.10 Fix: upgrade to 7.5.10
|
Original title
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix
Original description
### Summary
A path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted.
### Example
Given an extraction directory set to `/tmp/extract`, a crafted archive with an entry with the filename as `../extract_evil/file.txt` would be actually extracted to `/tmp/extract_evil/file.txt`.
### Details
The `createDirectory()` and `createFile()` methods in`LocalFolderExtractor` validate extraction paths using a string prefix.
A path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted.
### Example
Given an extraction directory set to `/tmp/extract`, a crafted archive with an entry with the filename as `../extract_evil/file.txt` would be actually extracted to `/tmp/extract_evil/file.txt`.
### Details
The `createDirectory()` and `createFile()` methods in`LocalFolderExtractor` validate extraction paths using a string prefix.
osv CVSS3.1
5.9
Vulnerability type
CWE-22
Path Traversal
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026