CVE-2026-23879: CWE-59: Improper Link Resolution Before File Access ('Link Following') in miurahr py7zr
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. During extraction, the program only checks the link arcname within the destination directory, but ignores the combined symlink path resolution. Attackers can exploit this vulnerability by constructing malicious archives, thereby bypassing the directory boundary restrictions implemented by the extractor. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service. This issue has been fixed in version 1.1.3.
AI Analysis
Technical Summary
The py7zr Python library (version 1.1.2 and earlier) improperly resolves symbolic links when extracting 7zip archives using the extractall function. Specifically, it only checks the symbolic link's arcname within the destination directory but does not correctly resolve the full symlink path, allowing crafted symbolic link chains to point outside the extraction directory. This enables attackers to bypass directory boundary restrictions and cause arbitrary file writes on the host system. Such writes can lead to severe impacts including remote code execution, privilege escalation, data corruption, or denial of service. The vulnerability is identified as CWE-59 (Improper Link Resolution Before File Access). It has been fixed in py7zr version 1.1.3.
Potential Impact
Exploitation of this vulnerability allows attackers to write files arbitrarily outside the intended extraction directory by leveraging malicious symbolic link chains in crafted archives. This can result in remote code execution, privilege escalation, data corruption, or denial of service on affected systems.
Mitigation Recommendations
Upgrade py7zr to version 1.1.3 or later, where this vulnerability has been fixed. Patch status is confirmed by the vendor's fix in version 1.1.3. No other mitigation is indicated.
CVE-2026-23879: CWE-59: Improper Link Resolution Before File Access ('Link Following') in miurahr py7zr
Description
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. During extraction, the program only checks the link arcname within the destination directory, but ignores the combined symlink path resolution. Attackers can exploit this vulnerability by constructing malicious archives, thereby bypassing the directory boundary restrictions implemented by the extractor. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service. This issue has been fixed in version 1.1.3.
CVSS v3.1
Score 8.0high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The py7zr Python library (version 1.1.2 and earlier) improperly resolves symbolic links when extracting 7zip archives using the extractall function. Specifically, it only checks the symbolic link's arcname within the destination directory but does not correctly resolve the full symlink path, allowing crafted symbolic link chains to point outside the extraction directory. This enables attackers to bypass directory boundary restrictions and cause arbitrary file writes on the host system. Such writes can lead to severe impacts including remote code execution, privilege escalation, data corruption, or denial of service. The vulnerability is identified as CWE-59 (Improper Link Resolution Before File Access). It has been fixed in py7zr version 1.1.3.
Potential Impact
Exploitation of this vulnerability allows attackers to write files arbitrarily outside the intended extraction directory by leveraging malicious symbolic link chains in crafted archives. This can result in remote code execution, privilege escalation, data corruption, or denial of service on affected systems.
Mitigation Recommendations
Upgrade py7zr to version 1.1.3 or later, where this vulnerability has been fixed. Patch status is confirmed by the vendor's fix in version 1.1.3. No other mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-16T21:02:02.900Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c3685e60265867b7394ef
Added to database: 06/24/2026, 19:56:53 UTC
Last enriched: 06/24/2026, 20:01:31 UTC
Last updated: 06/24/2026, 20:49:36 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.