CVE-2020-36193: PHP Archive Tar Path Traversal Flaw

CVE-2020-36193 Overview

CVE-2020-36193 is a directory traversal vulnerability in the PEAR Archive_Tar PHP library through version 1.4.11. The flaw resides in Tar.php, which fails to adequately validate symbolic links during archive extraction. Attackers can craft a malicious tar archive containing symlinks that point outside the intended extraction path, enabling write operations to arbitrary file system locations. The issue is closely related to CVE-2020-28948 and affects downstream consumers including Drupal core, Debian, Fedora, and Gentoo. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

Critical Impact
A network-reachable attacker can write attacker-controlled content to arbitrary paths on the host, leading to remote code execution on web applications such as Drupal that process untrusted archives.

Affected Products

PEAR Archive_Tar through 1.4.11
Drupal core (multiple supported branches, per SA-CORE-2021-001)
Debian Linux 9 and 10, Fedora 32–35, and Gentoo distributions packaging Archive_Tar

Discovery Timeline

2021-01-18 - CVE-2020-36193 published to NVD
2025-11-07 - Last updated in NVD database

Technical Details for CVE-2020-36193

Vulnerability Analysis

The vulnerability is a path traversal via symbolic links [CWE-22, CWE-59] in the archive extraction routine of Archive_Tar. When Archive_Tar processes a tar entry with typeflag value 2 (symbolic link), it writes the symlink to disk without verifying that the link target resolves within the destination directory. A subsequent file entry that writes through that symlink path can place attacker-controlled bytes anywhere the PHP process has write permission.

In applications such as Drupal, where Archive_Tar extracts user-supplied archives during module or update operations, this primitive escalates to remote code execution. An attacker uploads a crafted archive, the extractor follows the planted symlink, and PHP files land in webroot-reachable locations.

Root Cause

The root cause is missing validation of the symlink target path. Prior to the fix, Tar.php did not compare the canonicalized parent directory of the link target against the canonicalized extraction root. Because realpath() was never invoked on the symlink target, traversal sequences and absolute paths in the link field bypassed all containment.

Attack Vector

Exploitation requires an attacker to deliver a malicious tar archive to a vulnerable extraction routine. No authentication is needed when the target application exposes archive intake to anonymous users. The attack chain is:

Build a tar archive containing a symlink entry whose link target points outside the extraction directory (for example, ../../../var/www/html/).
Append a regular file entry whose filename routes through the planted symlink.
Submit the archive to a vulnerable consumer such as Drupal's module installer.
Trigger the extracted payload, typically by requesting the dropped PHP file.

The upstream commit added a realpath() containment check that aborts extraction when a symlink target resolves outside the destination path:

php

} elseif ($v_header['typeflag'] == "2") {
    if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
        $this->_error(
             'Out-of-path file extraction {'
             . $v_header['filename'] . ' --> ' .
             $v_header['link'] . '}'
        );
        return false;
    }
    if (!$p_symlinks) {
        $this->_warning('Symbolic links are not allowed. '
            . 'Unable to extract {'

Source: pear/Archive_Tar commit cde46058

Detection Methods for CVE-2020-36193

Indicators of Compromise

Tar or .tar.gz archives containing symlink entries whose link field includes ../ sequences or absolute paths outside the extraction directory.
Newly created PHP files in web-accessible directories such as sites/default/files/, modules/, or themes/ on Drupal hosts following an archive upload.
Unexpected child processes spawned by php-fpm or the webserver user shortly after an archive operation.

Detection Strategies

Inventory installed Archive_Tar versions across PHP application stacks and flag any release at or below 1.4.11.
Inspect web server access logs for POST requests to Drupal update, module install, or media import endpoints followed by GET requests to newly created .php resources.
Hook archive extraction calls in development and staging environments to log each typeflag == 2 entry and the resolved target path for review.

Monitoring Recommendations

Alert on filesystem writes from the PHP process to paths outside the application's designated upload or temp directory.
Monitor package management telemetry for Debian, Fedora, and Gentoo advisories that update the php-pear or Archive_Tar packages.
Track outbound connections initiated by the webserver user immediately after archive uploads to identify post-exploitation callbacks.

How to Mitigate CVE-2020-36193

Immediate Actions Required

Upgrade Archive_Tar to 1.4.12 or later on every host that installs the PEAR library directly or as a Composer dependency.
Apply Drupal core updates per SA-CORE-2021-001 on all Drupal 7, 8.9, and 9.x installations.
Apply distribution patches: Debian DSA-4894, the Debian LTS advisory, Fedora updates for Fedora 32–35, and Gentoo GLSA 202101-23.
Audit any custom PHP code that calls Archive_Tar::extract() on user-supplied archives and confirm the patched version is loaded at runtime.

Patch Information

The upstream fix is commit cde46058 in the pear/Archive_Tar repository, released as Archive_Tar 1.4.12. The patch rejects any symlink entry whose target's parent directory does not resolve within the extraction path. Drupal shipped the patched library in the releases listed in SA-CORE-2021-001. CISA's listing in the KEV catalog makes patching mandatory for U.S. federal agencies under BOD 22-01.

Workarounds

Disable or restrict archive upload features in Drupal until the patched version is deployed.
Run the PHP-FPM worker under a dedicated low-privilege user with write access limited to the application's data directory.
Place extraction operations inside a chroot or container so symlink traversal cannot escape into sensitive paths.

bash

# Verify the patched Archive_Tar version is installed via PEAR
pear list | grep -i Archive_Tar

# Or via Composer for projects using pear/archive_tar
composer show pear/archive_tar | grep versions

# Update to a fixed release
pear upgrade Archive_Tar
composer require pear/archive_tar:^1.4.14

CVE-2020-36193 Overview

Critical Impact
A network-reachable attacker can write attacker-controlled content to arbitrary paths on the host, leading to remote code execution on web applications such as Drupal that process untrusted archives.

Affected Products

PEAR Archive_Tar through 1.4.11
Drupal core (multiple supported branches, per SA-CORE-2021-001)
Debian Linux 9 and 10, Fedora 32–35, and Gentoo distributions packaging Archive_Tar

Discovery Timeline

2021-01-18 - CVE-2020-36193 published to NVD
2025-11-07 - Last updated in NVD database

Technical Details for CVE-2020-36193

Vulnerability Analysis

Root Cause

Attack Vector

Build a tar archive containing a symlink entry whose link target points outside the extraction directory (for example, ../../../var/www/html/).
Append a regular file entry whose filename routes through the planted symlink.
Submit the archive to a vulnerable consumer such as Drupal's module installer.
Trigger the extracted payload, typically by requesting the dropped PHP file.

The upstream commit added a realpath() containment check that aborts extraction when a symlink target resolves outside the destination path:

php

} elseif ($v_header['typeflag'] == "2") {
    if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
        $this->_error(
             'Out-of-path file extraction {'
             . $v_header['filename'] . ' --> ' .
             $v_header['link'] . '}'
        );
        return false;
    }
    if (!$p_symlinks) {
        $this->_warning('Symbolic links are not allowed. '
            . 'Unable to extract {'

Source: pear/Archive_Tar commit cde46058

Detection Methods for CVE-2020-36193

Indicators of Compromise

Tar or .tar.gz archives containing symlink entries whose link field includes ../ sequences or absolute paths outside the extraction directory.
Newly created PHP files in web-accessible directories such as sites/default/files/, modules/, or themes/ on Drupal hosts following an archive upload.
Unexpected child processes spawned by php-fpm or the webserver user shortly after an archive operation.

Detection Strategies

Inventory installed Archive_Tar versions across PHP application stacks and flag any release at or below 1.4.11.
Inspect web server access logs for POST requests to Drupal update, module install, or media import endpoints followed by GET requests to newly created .php resources.
Hook archive extraction calls in development and staging environments to log each typeflag == 2 entry and the resolved target path for review.

Monitoring Recommendations

Alert on filesystem writes from the PHP process to paths outside the application's designated upload or temp directory.
Monitor package management telemetry for Debian, Fedora, and Gentoo advisories that update the php-pear or Archive_Tar packages.
Track outbound connections initiated by the webserver user immediately after archive uploads to identify post-exploitation callbacks.

How to Mitigate CVE-2020-36193

Immediate Actions Required

Upgrade Archive_Tar to 1.4.12 or later on every host that installs the PEAR library directly or as a Composer dependency.
Apply Drupal core updates per SA-CORE-2021-001 on all Drupal 7, 8.9, and 9.x installations.
Apply distribution patches: Debian DSA-4894, the Debian LTS advisory, Fedora updates for Fedora 32–35, and Gentoo GLSA 202101-23.
Audit any custom PHP code that calls Archive_Tar::extract() on user-supplied archives and confirm the patched version is loaded at runtime.

Patch Information

Workarounds

Disable or restrict archive upload features in Drupal until the patched version is deployed.
Run the PHP-FPM worker under a dedicated low-privilege user with write access limited to the application's data directory.
Place extraction operations inside a chroot or container so symlink traversal cannot escape into sensitive paths.

bash

# Verify the patched Archive_Tar version is installed via PEAR
pear list | grep -i Archive_Tar

# Or via Composer for projects using pear/archive_tar
composer show pear/archive_tar | grep versions

# Update to a fixed release
pear upgrade Archive_Tar
composer require pear/archive_tar:^1.4.14

CVE-2020-36193: PHP Archive Tar Path Traversal Flaw

CVE-2020-36193 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-36193

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-36193

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-36193

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2020-36193: PHP Archive Tar Path Traversal Flaw

CVE-2020-36193 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-36193

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-36193

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-36193

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform