Nixpkgs security tracker

Published

Permalink CVE-2026-29064

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 1 month, 1 week ago by @mweinelt Activity log

Created automatic suggestion 1 month, 1 week ago
@mweinelt accepted 1 month, 1 week ago
@mweinelt published on GitHub 1 month, 1 week ago

Zarf: Symlink targets in archives are not validated against destination directory

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.

References

https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm x_refsource_CONFIRM
https://github.com/zarf-dev/zarf/releases/tag/v0.73.1 x_refsource_MISC

Affected products

zarf

==>= 0.54.0, < 0.73.1

Matching in nixpkgs

pkgs.zarf

DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev

nixos-unstable 0.70.1
- nixpkgs-unstable 0.70.1
- nixos-unstable-small 0.70.1
nixos-25.11 0.64.0
- nixos-25.11-small 0.64.0
- nixpkgs-25.11-darwin 0.64.0

pkgs.idrisPackages.hezarfen

Theorem prover for intuitionistic propositional logic in Idris, with metaprogramming features

nixos-unstable 2018-02-03
- nixpkgs-unstable 2018-02-03
- nixos-unstable-small 2018-02-03
nixos-25.11 2018-02-03
- nixos-25.11-small 2018-02-03
- nixpkgs-25.11-darwin 2018-02-03

Package maintainers

@brainrake Marton Boros <martonboros@gmail.com>
@ragingpastry Nick Wilburn <senior.crepe@gmail.com>

https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm