CVE-2026-29064 — Path Traversal in Zarf-dev Zarf

CWE-22 — Path Traversal5 documents4 sources

Severity

8.2HIGHNVD

EPSS

0.0%

top 95.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Zarf-dev Zarf Github.com Zarf-dev Zarf SRC PKG Archive Lfprojects Zarf +1 more

Timeline

PublishedMar 6

Latest updateMar 10

Description

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages4 packages

▶Gogithub.com/zarf-dev_zarf_src_pkg_archive0.54.0 — 0.73.1

▶NVDlfprojects/zarf0.54.0 — 0.73.1

▶Gogithub.com/zarf-dev_zarf0.54.0 — 0.73.1

▶CVEListV5zarf-dev/zarf>= 0.54.0, < 0.73.1

🔴Vulnerability Details

OSV

Zarf's symlink targets in archives are not validated against destination directory in github.com/zarf-dev/zarf↗2026-03-10

▶

OSV

Zarf's symlink targets in archives are not validated against destination directory↗2026-03-06

▶

GHSA

Zarf's symlink targets in archives are not validated against destination directory↗2026-03-06

▶

🕵️Threat Intelligence

Wiz

CVE-2026-29064 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶