GHSA-jxr7-mqhw-9p98MediumCVSS 5.8

K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression

Published
July 14, 2026
Last Modified
July 14, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

A path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names (e.g., ../../../../etc/password) can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot.

Mitigations

  • Enable golang's built-in insecure path protections when restoring snapshots by setting theGODEBUG environment variable:
    GODEBUG=zipinsecurepath=0 k3s server --cluster-reset --cluster-reset-restore-path=/path/to/snapshot.zip
    
  • Manually extract the snapshot from the zip archive before restoring it. If the snapshot to be restored does not end with .zip, the vulnerable extraction code will not be executed.

Additional Notes

Administrators should be aware of the cautions noted in the "Security" section of the documentation on Restoring Snapshots.

🎯 Affected products3

  • go/github.com/k3s-io/k3s:>= 1.35.0-rc1, < 1.35.3
  • go/github.com/k3s-io/k3s:>= 1.34.0-rc1, < 1.34.6
  • go/github.com/k3s-io/k3s:< 1.33.10

🔗 References (3)