Jul 14, 2026·6 min read·5 visits
A Zip Slip path traversal vulnerability in K3s allows administrative users with snapshot restore capabilities to write arbitrary files to the host filesystem, potentially leading to remote code execution and host takeover.
CVE-2026-54250 is a path traversal vulnerability in K3s, a lightweight Kubernetes distribution. The flaw exists within the etcd snapshot decompression functionality, allowing administrative users to write arbitrary files to the host filesystem via a maliciously crafted ZIP archive. Due to the high privilege level of the K3s process, this can result in total host compromise.
The affected component is the etcd snapshot decompression subsystem within the K3s lightweight Kubernetes distribution. K3s simplifies cluster operations by providing built-in utilities for backing up and restoring cluster state. The vulnerability manifests when an administrator restores an etcd snapshot packaged inside a compressed ZIP archive.
This flaw is classified under CWE-22, representing improper limitation of a pathname to a restricted directory, also known as a Zip Slip vulnerability. The attack surface is exposed directly through the command-line interface when executing snapshot restoration commands. An attacker who successfully exploits this flaw can bypass directory boundaries to write arbitrary files onto the host filesystem.
Because the core K3s process runs with elevated administrative privileges, typically as root, any files written via this mechanism inherit these root privileges. This permits unauthorized modification of critical system directories outside the designated snapshot storage area. The impact is restricted to the host where the recovery command is executed, representing a host-level integrity threat.
The root cause of this vulnerability lies in the naive extraction logic employed by K3s when processing compressed snapshot archives. When a ZIP file is supplied for restoration, the decompression routine iterates over the individual files declared within the archive. For each file, the application constructs the output target path by concatenating the destination directory with the filename header provided by the archive.
In Go, this concatenation is commonly performed using filepath.Join, which automatically runs filepath.Clean on the resulting path string. However, if the filename header contains directory traversal sequences such as ../, filepath.Clean resolves these sequences relative to the destination directory. Consequently, if the archive header specifies ../../../../etc/shadow, the resolved path points outside the designated restoration directory.
To prevent directory traversal, an application must perform explicit validation to ensure that the resolved target path remains a child of the destination directory. Prior to the fix, K3s did not perform any prefix-check or boundary validation on the generated target paths. The decompression process blindly trusted the archive headers, writing the decompressed payloads to arbitrary filesystem locations.
To understand the vulnerable pattern, consider the typical implementation of ZIP file extraction in Go without path verification. The application reads each header, constructs the destination path, and opens the file for writing.
// Vulnerable Implementation Pattern
for _, file := range zipReader.File {
// Naive concatenation allows path traversal
targetPath := filepath.Join(destinationDir, file.Name)
// The application creates the directory structure and writes the file
if err := os.MkdirAll(filepath.Dir(targetPath), 0755); err != nil {
return err
}
outFile, err := os.OpenFile(targetPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
if err != nil {
return err
}
defer outFile.Close()
// ... copy contents ...
}The remediated implementation prevents this directory traversal by verifying the relative relationship between the destination directory and the targeted write path. It ensures that the absolute target path contains the absolute destination directory path as a prefix.
// Remediated Implementation Pattern
cleanDest := filepath.Clean(destinationDir)
for _, file := range zipReader.File {
targetPath := filepath.Join(cleanDest, file.Name)
// Verify that the target path does not escape the destination directory
rel, err := filepath.Rel(cleanDest, targetPath)
if err != nil || strings.HasPrefix(rel, "..") || strings.HasPrefix(rel, string(filepath.Separator)) {
return fmt.Errorf("illegal file path: %s", file.Name)
}
// Proceed safely with extraction
if err := os.MkdirAll(filepath.Dir(targetPath), 0755); err != nil {
return err
}
// ... write contents ...
}Exploitation of CVE-2026-54250 requires local administrative privileges or a social-engineering vector to coerce an administrator into restoring a corrupted snapshot. The attacker must construct a malicious ZIP archive that includes an etcd snapshot database alongside targeted traversal paths. These paths point to critical system files or executable directories, such as /etc/cron.d or /etc/systemd/system.
Once the ZIP file is staged on the host, the attacker triggers the decompression by executing the K3s server reset command with the target restoration path argument. The command format is k3s server --cluster-reset --cluster-reset-restore-path=/path/to/archive.zip. Upon execution, the K3s server process, running as root, unpacks the snapshot.
The extraction process writes the malicious files to the absolute paths specified in the traversal sequence. For instance, writing a payload into /etc/cron.d/malicious_job forces the host operating system's cron daemon to execute arbitrary commands. This achieves local privilege escalation and full host compromise, bypassing containerization boundaries completely.
The severity of CVE-2026-54250 is evaluated as Medium with a CVSS v3.1 base score of 5.8. The attack complexity is low, but the vulnerability requires high privileges (PR:H) and user interaction (UI:R) to execute. The scope is unchanged (S:U), and the direct impact is limited to integrity (I:H) and availability (A:H) of the host operating system.
While classified as Medium, the real-world impact of successful exploitation is severe. An attacker can overwrite critical system files, including the /etc/shadow file, shell profiles, or systemd services. This capability guarantees immediate execution of arbitrary code with root privileges on the next service initialization or cron schedule execution.
Additionally, an attacker can overwrite internal K3s binaries, local certificate authority files, or database configurations. This can cause persistent denial of service conditions or compromise the identity and security of the entire Kubernetes cluster managed by the affected node.
The recommended remediation is updating the K3s installation to a patched release. For the 1.35 branch, upgrade to version 1.35.3+k3s1 or later. For the 1.34 branch, upgrade to version 1.34.6+k3s1 or later. For legacy installations, migrate to version v1.33.10+k3s1 or later.
In environments where immediate upgrading is not possible, administrators can mitigate the risk by setting the GODEBUG environment variable. By running GODEBUG=zipinsecurepath=0 prior to executing the K3s restore command, the Go runtime actively blocks files containing insecure traversal paths from being decompressed.
Alternatively, administrators can bypass the K3s ZIP extraction logic entirely by manually decompressing the ZIP snapshot using a secure utility like unzip. After ensuring no unexpected files exist in the manual destination folder, the restore operation can be pointed directly to the uncompressed etcd database file, which prevents K3s from executing its internal ZIP parser.
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
K3s Rancher/SUSE | >= 1.35.0-rc1+k3s1 to < 1.35.3+k3s1 | 1.35.3+k3s1 |
K3s Rancher/SUSE | >= 1.34.0-rc1+k3s1 to < 1.34.6+k3s1 | 1.34.6+k3s1 |
K3s Rancher/SUSE | < v1.33.10+k3s1 | v1.33.10+k3s1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 |
| Attack Vector | Local (AV:L) |
| CVSS Score | 5.8 (Medium) |
| EPSS Score | 0.00122 (Percentile: 2.32%) |
| Exploit Status | Unproven/None |
| CISA KEV Status | Not Listed |
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize elements such as '..' that can resolve to a location outside of the intended directory.
A technical analysis of CVE-2025-61670, a memory leak vulnerability in Wasmtime's C and C++ API bindings. The issue stems from a refactoring in version 37.0.0 that transitioned garbage-collected reference tracking to host heap-allocated OwnedRooted types without updating FFI ownership semantics.
A critical authentication bypass vulnerability in Woodpecker CI allows authenticated agents to impersonate other agents by injecting spoofed agent_id values into gRPC metadata. This flaw is caused by the use of md.Append instead of md.Set on the server-side RPC authorizer.
Fedify, a TypeScript framework for ActivityPub servers, implemented incomplete public URL validation inside the @fedify/fedify and @fedify/vocab-runtime libraries. The validator only blocked basic RFC 1918 networks, standard loopbacks, and link-local addresses, failing to restrict Carrier-Grade NAT (CGNAT), benchmarking, reserved, or IPv6 transition addresses. Consequently, unauthenticated remote attackers can bypass SSRF filters to access sensitive internal microservices and endpoints.
A Denial of Service vulnerability exists in the json-repair Python library due to an unconstrained loop during JSON Schema reference resolution. By submitting a circular JSON Schema, an attacker can trigger infinite recursion, causing 100 percent CPU exhaustion. Because this package is heavily utilized in LLM data-processing pipelines, this flaw presents a substantial threat to application availability.
A cryptographic validation flaw in the Apple App Store Server Python Library allows an attacker to bypass Online Certificate Status Protocol (OCSP) revocation checks. When online verification is enabled, the library fails to validate temporal constraints on OCSP response payloads. This flaw enables network-positioned adversaries to perform OCSP replay attacks, forcing the application to accept JSON Web Signatures (JWS) signed by revoked certificates.
The DIRAC PilotManager component contains combined security weaknesses: a SQL injection vulnerability (CWE-89) in the PilotAgentsDB database interaction layer, and an improper access control configuration (CWE-284) within the default authorization structure. A low-privilege authenticated attacker can bypass intended authorization checks to run administrative commands, manipulate grid job tracking records, and execute arbitrary SQL statements against the backend database.