A backslash path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution (e.g., overwriting shell profiles, source code, cron jobs, etc).
The createFile() method in LocalFolderExtractor.java validates extraction paths using getCanonicalPath().startsWith() to ensure files stay within the destination directory:
File f = new File(destination, name);
String dirCanonPath = f.getCanonicalPath();
if (!dirCanonPath.startsWith(destination.getCanonicalPath())) {
throw new IllegalStateException("Rar contains file with invalid path: '" + dirCanonPath + "'");
}
On Linux/Unix, backslashes are literal filename characters, not path separators. A RAR entry named ..\..\tmp\evil.txt is treated by getCanonicalPath() as a single literal filename containing backslash characters — no .. resolution occurs, and the startsWith check passes.
However, makeFile() then splits the filename on backslashes and reconstructs the path using the platform's file separator:
final String[] dirs = name.split("\\\\");
// dirs = ["..", "..", "tmp", "evil.txt"]
// ...
path = path + File.separator + dirs[i]; // File.separator is "/" on Linux
This converts the literal backslashes into real directory traversal: ../../tmp/evil.txt. The extract() method then opens a FileOutputStream on this path and writes the RAR entry's content to it, achieving arbitrary file write outside the extraction directory.
On Windows this is not exploitable because backslashes are path separators, so getCanonicalPath() correctly resolves the .. components and the startsWith check blocks the traversal.
Affected versions: Tested on 7.5.7...
7.5.8Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:NI:HA:N5.9/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N