CVE-2026-33056

Name of the Vulnerable Software and Affected Versions tar-rs versions 0.4.44 and below

Description The tar-rs crate’s unpack dir function uses fs::metadata() to verify if a path already exists as a directory during tar archive unpacking. Because fs::metadata() follows symbolic links, a specially crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to incorrectly treat the symlink target as a valid existing directory. This leads to the application of chmod to the target, allowing an attacker to modify permissions of arbitrary directories outside the extraction root. The fs::metadata() function follows symbolic links, which is the root cause of the issue. The fix involves using fs::symlink metadata() in unpack dir to detect and reject symlinks instead of following them.

Recommendations Versions 0.4.44 and below should be updated to version 0.4.45 or later.