EXECUTIVE SUMMARY:
A path traversal flaw CVE-2026-32771 in the CTFer io Monitoring component, specifically within the archive extraction functionality. Due to improper validation in the sanitizeArchivePath function, attackers can craft malicious archive files that bypass directory restrictions and write files outside the intended extraction path. This weakness enables arbitrary file overwrite scenarios, which can lead to serious consequences such as modification of sensitive system files, injection of malicious configurations, or establishment of persistence mechanisms. In containerized environments, the risk is amplified because shared storage configurations allow malicious payloads to be accessed or injected across multiple workloads, potentially resulting in remote code execution and long-term compromise of the environment. The vulnerability has a CVSS score of 8.3.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A path traversal flaw CVE-2026-32771 in the CTFer io Monitoring component, specifically within the archive extraction functionality. Due to improper validation in the sanitizeArchivePath function, attackers can craft malicious archive files that bypass directory restrictions and write files outside the intended extraction path. This weakness enables arbitrary file overwrite scenarios, which can lead to serious consequences such as modification of sensitive system files, injection of malicious configurations, or establishment of persistence mechanisms. In containerized environments, the risk is amplified because shared storage configurations allow malicious payloads to be accessed or injected across multiple workloads, potentially resulting in remote code execution and long-term compromise of the environment. The vulnerability has a CVSS score of 8.3.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update ctfer-io to version 0.2.2 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-f7cq-gvh6-qr25