Kaniko Path Traversal Vulnerability Allowing File Write Outside Destination

A path traversal vulnerability has been identified in Kaniko, a tool for building container images from Dockerfiles. This issue affects Kaniko versions 1.25.4 through 1.25.7. The vulnerability arises because Kaniko unpacks build context archives without properly validating that the extracted paths remain within the designated destination directory. As a result, a tar entry referencing a parent directory can escape the extraction root and write files outside the intended directory. In environments with registry authentication, this vulnerability could be exploited in conjunction with Docker credential helpers to execute code within the Kaniko executor process.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the intended extraction directory, and could lead to unauthorized code execution within the Kaniko executor process, particularly in environments with Docker registry authentication.

Reproduction

The vulnerability can be reproduced by creating a tar archive that includes files with paths referencing the parent directory, such as '../outside.txt'. When this archive is processed by Kaniko versions 1.25.4 to 1.25.7, the files will be extracted outside the designated destination directory. This can be automated with a script or tool that packages such a tar file and then invokes Kaniko to process it, simulating a real-world scenario where build contexts are used.

Remediation

Users can upgrade to Kaniko version 1.25.10 or later, where this vulnerability has been patched by implementing proper path validation using 'securejoin' to ensure that extracted files remain within the intended directory.