CVE-2026-12565: CVE-2026-12565: Arbitrary File Write via Path Traversal in BBOT unarchive Module

# security# cve# cybersecurity
CVE-2026-12565: CVE-2026-12565: Arbitrary File Write via Path Traversal in BBOT unarchive ModuleCVE Reports

CVE-2026-12565: Arbitrary File Write via Path Traversal in BBOT unarchive...

CVE-2026-12565: Arbitrary File Write via Path Traversal in BBOT unarchive Module

Vulnerability ID: CVE-2026-12565
CVSS Score: 5.3
Published: 2026-06-18

CVE-2026-12565 is a medium-severity path traversal (Zip-Slip) vulnerability within the internal unarchive module of the BBOT (Black Lantern Security) OSINT framework. The vulnerability exists due to a failure to validate target paths before extracting archives using host-level command-line utilities. This allows remote, unauthenticated attackers to write arbitrary files outside of the target extraction folder on environments running legacy versions of GNU tar.

TL;DR

Unauthenticated remote attackers can write arbitrary files and potentially achieve remote code execution via a directory traversal exploit in BBOT's unarchive module when executed on legacy platforms.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network (AV:N)
  • CVSS v3.1: 5.3 (Medium)
  • EPSS Score: 0.00208 (Percentile: 10.84%)
  • Impact: Arbitrary File Write / Potential Remote Code Execution
  • Exploit Status: Proof of Concept (PoC)
  • CISA KEV Status: Not Listed

Affected Systems

  • BBOT framework (versions 2.3.1 to 2.8.4)
  • Operating systems utilizing GNU tar < 1.34 (Ubuntu 20.04 LTS, Debian 10 Buster, CentOS 7, legacy Docker base images)
  • BBOT: >= 2.3.1, <= 2.8.4 (Fixed in: Post-2.8.4 patch release)

Code Analysis

Commit: 4fb38fd

Harden unarchive preload and add max extracted size limit

@@ -14,6 +14,8 @@ class unarchive(BaseInternalModule):
         "author": "@domwhewell-sage",
     }

+    _max_extracted_size = 1_000_000_000  # 1 GB
+
     async def setup(self):
...
@@ -82,6 +84,14 @@ async def extract_file(self, path, output_dir):
             command = [s.format(filename=path, extract_dir=output_dir) for s in cmd_list]
             try:
                 await self.run_process(command, check=True)
+                extracted_size = sum(f.stat().st_size for f in output_dir.rglob("*") if f.is_file())
+                if extracted_size > self._max_extracted_size:
+                    self.helpers.rm_rf(output_dir)
+                    self.warning(
+                        f"Extracted size {extracted_size:,} bytes exceeds limit "
+                        f"({self._max_extracted_size:,} bytes), removing {output_dir}"
+                    )
+                    return False
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Context: Proof of concept generating a malicious TAR archive containing symlinks to write files to /etc/cron.d

Mitigation Strategies

  • Upgrade GNU tar on the host system to version 1.34 or later.
  • Run BBOT under non-root users and within containerized environments configured with read-only root filesystems.
  • Manually intercept and validate archive structures prior to invoking external extraction commands.

Remediation Steps:

  1. Identify environments running BBOT with legacy GNU tar versions (Ubuntu 20.04, CentOS 7).
  2. Install GNU tar version 1.34+ or migrate to modern base container images (such as Ubuntu 22.04+).
  3. Restrict container write permissions using security constraints like '--read-only' and isolate mount points.

References

Read the full report for CVE-2026-12565 on our website for more details including interactive diagrams and full exploit analysis.