![[openclaw] OpenClaw has Zip Slip path traversal in tar archive extraction](/assets/images/github_com_1772501094993.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 2
[openclaw] OpenClaw has Zip Slip path traversal in tar archive extraction
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw has Zip Slip path traversal in tar archive extraction**
Summary OpenClaw versions before 2026.2.14 did not sufficiently validate TAR archive entry paths during extraction. A crafted archive could use path traversal sequences (for example ../../...) to write files outside the intended destination directory (Zip Slip). Affected Packages / Versions Package: openclaw (npm) Affected: < 2026.2.14 Fixed: >= 2026.2.14 Details The affected code path is extractArchive() in src/infra/archive.ts. Prior to 2026.2.14, TAR extraction used tar.x({ cwd: destDir }) without rejecting traversal and absolute entry paths. This extraction is used by installation flows such as: openclaw plugins install โฆ openclaw hooks install โฆ Impact If a user installs an untrusted .tar / .tgz archive, an attacker can write files outside the extraction directory (within the permissions of the OpenClaw process)...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary OpenClaw versions before 2026.2.14 did not sufficiently validate TAR archive entry paths during extraction. A crafted archive could use path traversal sequences (for example ../../...) to write files outside the intended destination directory (Zip Slip). Affected Packages / Versions Package: openclaw (npm) Affected: < 2026.2.14 Fixed: >= 2026.2.14 Details The affected code path is extractArchive() in src/infra/archive.ts. Prior to 2026.2.14, TAR extraction used tar.x({ cwd: destDir }) without rejecting traversal and absolute entry paths. This extraction is used by installation flows such as: openclaw plugins install โฆ openclaw hooks install โฆ Impact If a user installs an untrusted .tar / .tgz archive, an attacker can write files outside the extraction directory (within the permissions of the OpenClaw process)...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.