CVE-2026-41245 Overview
CVE-2026-41245 is a path traversal vulnerability affecting Junrar, an open source Java RAR archive library. The vulnerability exists in the LocalFolderExtractor component, which fails to properly sanitize file paths when extracting RAR archives. This flaw allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a specially crafted RAR archive is extracted.
Critical Impact
Attackers can craft malicious RAR archives that, when extracted by vulnerable applications using Junrar, write arbitrary files outside the intended extraction directory, potentially leading to code execution or system compromise.
Affected Products
- Junrar versions prior to 7.5.10
- Java applications using Junrar as a dependency for RAR extraction
- Any software integrating the LocalFolderExtractor class from vulnerable Junrar versions
Discovery Timeline
- 2026-04-20 - CVE-2026-41245 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41245
Vulnerability Analysis
This path traversal vulnerability stems from insufficient validation of file paths contained within RAR archive entries. When the LocalFolderExtractor class processes archive entries for extraction, it fails to properly sanitize relative path components such as ../ (dot-dot-slash) sequences. This allows malicious archives to specify paths that escape the intended extraction directory and write files to arbitrary locations on the filesystem.
The impact is significant as it enables integrity attacks against the target system. An attacker can overwrite configuration files, inject malicious code into executable locations, or plant web shells in accessible directories. The vulnerability is remotely exploitable in scenarios where applications automatically process user-uploaded RAR files.
Root Cause
The root cause is improper input validation (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the LocalFolderExtractor component. The extraction logic does not adequately validate or canonicalize file paths from archive entries before writing files to the filesystem. Path components such as ../ or absolute paths embedded in the archive are processed without verification that the resulting path remains within the intended extraction directory.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker creates a malicious RAR archive containing entries with path traversal sequences (e.g., ../../../etc/cron.d/malicious). When a vulnerable application extracts this archive using Junrar's LocalFolderExtractor, the files are written to locations outside the intended extraction directory based on the malicious paths specified in the archive.
The vulnerability is particularly dangerous in web applications that accept RAR file uploads and automatically extract them, file processing services, or any automated archive handling systems using Junrar.
Detection Methods for CVE-2026-41245
Indicators of Compromise
- Unexpected file creation or modification outside of designated extraction directories
- RAR archives containing entries with ../ path sequences or absolute paths
- Application logs showing file writes to sensitive system directories during archive extraction
- Presence of suspicious files in sibling or parent directories of normal extraction locations
Detection Strategies
- Implement file integrity monitoring on sensitive directories to detect unauthorized writes
- Review application dependencies for Junrar versions prior to 7.5.10
- Monitor for RAR archive processing that results in file operations outside expected paths
- Deploy application-level logging to track archive extraction activities and destination paths
Monitoring Recommendations
- Enable detailed logging for file system operations in applications processing RAR archives
- Implement alerts for archive extraction operations that attempt path traversal
- Use software composition analysis (SCA) tools to identify vulnerable Junrar dependencies
- Monitor web application firewalls for uploads containing archives with suspicious entry names
How to Mitigate CVE-2026-41245
Immediate Actions Required
- Upgrade Junrar to version 7.5.10 or later immediately
- Audit applications using Junrar to identify all affected instances
- Review file systems for any evidence of exploitation or unauthorized file modifications
- Implement input validation at the application level as an additional defense layer
Patch Information
The vulnerability is fixed in Junrar version 7.5.10. The patch implements proper path canonicalization and validation to ensure extracted files cannot escape the designated extraction directory.
For patch details, see the GitHub Commit Update and GitHub Release v7.5.10. Full security details are available in the GitHub Security Advisory GHSA-hf5p-q87m-crj7.
Workarounds
- Validate archive entry paths before extraction to reject entries containing ../ or absolute paths
- Implement chroot or container-based isolation for archive extraction processes
- Use allowlisting to restrict file extensions and paths that can be extracted
- Disable automatic archive extraction for untrusted sources until patching is complete
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>com.github.junrar</groupId>
# <artifactId>junrar</artifactId>
# <version>7.5.10</version>
# </dependency>
# Verify current Junrar version in your project
mvn dependency:tree | grep junrar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
