External risk intelligence

OCaml-tar Directory Traversal Leading to Arbitrary File Writes.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45390

A critical vulnerability exists in the OCaml-tar library, allowing crafted archives to overwrite arbitrary files outside the intended extraction directory. This could impact systems processing archives if an attacker can reach a decompression endpoint. Uncertainty remains regarding how widely this library is integrated

3Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-45390

The vulnerability involves a library that handles archive decompression. While it can be integrated into internet-facing applications that process user-uploaded files, it is a developer-focused library rather than a standalone network service or edge gateway. Its exposure depends entirely on how the library is implemented within a specific application.

PCI scan relevance

PCI Relevance for CVE-2026-45390

Yes

CVE-2026-45390 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This arbitrary file write vulnerability could allow an attacker to overwrite critical files, posing a significant risk to systems that would likely fail a PCI ASV scan.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability in a library used for handling archive decompression, potentially allowing attackers to write files anywhere on a system. While the library itself is not a direct network service, its integration into applications that process user-supplied archives could expose organizations to risks if not carefully managed. The primary concern is determining if this library is used and if it processes external or untrusted archive files.

  • Archive decompression library allows unauthorized file writes.
  • Critical issue impacts systems processing archives.
  • Confirm use and exposure of this library.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by providing a specially crafted tar archive containing path traversal sequences. If an application uses the affected library to decompress this archive, it may write files outside the intended directory, potentially overwriting critical system files.

  • Entry condition: Attacker can reach decompression endpoint.
  • Trigger point: Malicious archive with path segments.
  • Resulting risk: Arbitrary file write outside directory.

Live Threat

Current exploitation, exposure, and threat context

A crafted archive with path traversal sequences could allow arbitrary file writes outside the intended directory when processed by an affected tar decompression endpoint.

  • Arbitrary file writes outside the extraction directory.
  • Crafted archives with path traversal sequences.
  • Unintended file overwrites or creation.

Operational Fix

Recommended remediation, mitigation, and detection steps

The OCaml-tar library, used for archive decompression, presents a critical risk of arbitrary file writes when processing crafted archives with path traversal elements. Application owners integrating this library are responsible for identifying its use, determining if decompression endpoints are exposed externally, and assessing business criticality. The immediate first step is to locate all instances of the affected library, confirm exposure, identify the accountable application owner, and then prioritize remediation based on risk.

  • Application owners should manage this issue.
  • Verify exposed decompression endpoints first.
  • Plan remediation based on exposure risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the OCaml-tar library?

OCaml-tar is a programming library for the OCaml language used by developers to handle the decompression and extraction of tar archive files within software applications. It is not a standalone application or network service but rather a component that programmers integrate into their own code to manage file archives. Its functionality is specific to processing the contents of these archives, making it a utility tool within a broader software ecosystem.

How does CVE-2026-45390 cause a vulnerability?

This CVE is identified as a Path Traversal weakness, categorized as CWE-22. It occurs because the library fails to properly validate archive contents during extraction. Specifically, it does not stop archives containing '..' path sequences from escaping the designated folder. While standard tar utilities are designed to reject such paths to maintain security, this library processes them, allowing files to be written to unintended locations on the host system.

When does a file trigger this security flaw?

The flaw is triggered when the library processes a maliciously crafted tar archive that includes directory traversal sequences in its file names. Simply having the library installed in your code base does not trigger the bug; the vulnerability is only activated if the application actually decompresses a specially prepared archive provided by an attacker. Archives that do not contain these specific navigation sequences will not cause the software to write files outside of the intended directory.

Is my application vulnerable to this issue?

According to Halo Surface Signal, risk depends on how your application uses the library. If your software allows users to upload or provide archives for processing, it may be exposed to external threats. Because this is a developer-focused library, its relevance is highest in internet-facing applications that perform decompression on untrusted data. Internal tools with restricted access are generally at lower risk than those directly interacting with public-facing inputs.

What steps should I take if I use OCaml-tar?

Start by performing an inventory to locate all instances where this library is integrated into your software projects. Once identified, evaluate if those specific components process files or archives received from external or untrusted sources. Prioritize updates for applications where the library is exposed to internet traffic or user-supplied data, and consult the OCaml-tar documentation for official guidance on upgrading to a secure version that handles path validation correctly.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified