K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression
Package
Affected versions
>= 1.35.0-rc1, < 1.35.3
>= 1.34.0-rc1, < 1.34.6
< 1.33.10
Patched versions
1.35.3
1.34.6
1.33.10
Description
Published by the National Vulnerability Database
Jun 25, 2026
Published to the GitHub Advisory Database
Jul 14, 2026
Reviewed
Jul 14, 2026
Last updated
Jul 14, 2026
Summary
A path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names (e.g.,
../../../../etc/password) can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot.Mitigations
GODEBUGenvironment variable:.zip, the vulnerable extraction code will not be executed.Additional Notes
Administrators should be aware of the cautions noted in the "Security" section of the documentation on Restoring Snapshots.
References