Cyber Resilience

CVE-2024-55587

High

Published: 12 December 2024

Published
12 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3734 97.3th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55587 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

python-libarchive through version 4.2.1 contains a directory traversal vulnerability in the extract logic of libarchive/zip.py. The flaw affects the ZipFile.extractall and ZipFile.extract methods, which fail to properly sanitize paths when processing ZIP archives and therefore permit creation of files outside the intended destination directory. The issue is tracked as CVE-2024-55587, carries a CVSS 3.1 score of 8.8, and is categorized under CWE-22.

An attacker with low privileges can supply a malicious ZIP archive over the network and trigger extraction through the affected APIs. Successful exploitation results in arbitrary file writes that can overwrite or create files anywhere on the filesystem, enabling impacts to confidentiality, integrity, and availability.

The associated GitHub issue #42 and pull request #41 document the discovery and corrective changes to the zip extraction code, indicating that applying the fix from the repository eliminates the traversal vector. The EPSS score remains at 0.3734 with no material rise observed after disclosure.

EU & UK References

Vulnerability details

python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References