oss-sec mailing list archives

[oss-security][CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Mon, 27 Apr 2026 18:45:50 -0700




-------- Forwarded Message --------

Subject: [Security-announce][CVE-2026-3087] shutil.unpack_archive() doesn'tcheck for Windows absolute paths in ZIPs

Date:   Mon, 27 Apr 2026 20:48:33 +0000
From:   Seth Larson <seth () python org>
Reply-To:       security-sig () python org
To:     security-announce () python org



There is a MEDIUM severity vulnerability affecting CPython.

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windowspath containing a drive (`C:\\...`) then the archive will be extracted outsidethe target directory which is different than other operating systems. OnlyWindows is affected by this vulnerability.


Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-3087
* https://github.com/python/cpython/pull/146591

_______________________________________________
Security-announce mailing list -- security-announce () python org
To unsubscribe send an email to security-announce-leave () python org
https://mail.python.org/mailman3//lists/security-announce.python.org

Current thread:

[oss-security][CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs Alan Coopersmith (Apr 27)