CVE-2021-32825: 
vulnerability analysis and mitigation

The CVE-2021-32825 is a ZipSlip vulnerability discovered in bblfshd, reported on November 30, 2020. The vulnerability stems from unsafe handling of symbolic links in an unpacking routine, which could allow attackers to read and/or write to arbitrary locations outside the designated target folder (GitHub Security Lab).

The vulnerability exists in the untar routine where a malicious tarball can create symbolic links that point outside the archive's intended extraction directory. The issue occurs when linking subdir/parent to .. (which is allowed since subdir/.. falls within the archive root) and then linking subdir/parent/escapes to .., resulting in a symbolic link pointing to the tarball's parent directory. This bypasses the routine's security measures (GitHub Security Lab).

The vulnerability could lead to arbitrary file write with the same permissions as the program running the unpack operation. Additionally, if an attacker has read access to the unpacked files, they may be able to read arbitrary system files that the parent process has permissions to read (GitHub Security Lab).

The issue was addressed with additional checks on symbolic links in the untar routine. A fix was implemented and merged into the master branch of bblfshd, which adds validation to ensure that symbolic links cannot point to locations outside the designated target directory (GitHub Commit).