Hi,
I looked at the code in
tika-parsers\tika-parsers-standard\tika-parsers-standard-modules\tika-parser-pkg-module\src\main\java\org\apache\tika\parser\pkg\RarParser.java
and it is not extracting to the local file system, it is storing the
directory and getting the content from an inputstream.
So what remains is the danger that this happens elsewhere, e.g. with the
-Z option from the command line. TikaCLI.getOutputFile() does have a
check. That check was added in 8/2025, thus before the 3.2.3 release.
Tilman
Am 04.03.2026 um 10:32 schrieb Saravanan Balakrishnan:
Hi Tika Team,
From our scan on Tika 3.2.3 jar file, we have seen vulnerability on
one of the jar file used vulnerable version 7.5.5 for junrar.
POM file reference:
tika-parent/pom.xml: <junrar.version>7.5.5</junrar.version>
CVE info:
CVE-2026-28208 : Junrar is an open source java RAR archive library.
Prior to version 7.5.8, a backslash path traversal vulnerability in
`LocalFolderExtractor` allows an attacker to write arbitrary files
with attacker-controlled content anywhere on the filesystem when a
crafted RAR archive is extracted on Linux/Unix.
Any possible fix in upcoming release, say 4.x. Kindly share more info
on this.
Regards,
Saravanan B
