CVE-2024-55587: 
Python vulnerability analysis and mitigation

The vulnerability (CVE-2024-55587) affects python-libarchive through version 4.2.1, specifically impacting the extract functionality in zip.py for ZipFile.extractall and ZipFile.extract methods. The vulnerability was disclosed on December 11, 2024, and allows attackers to perform directory traversal attacks to create files in arbitrary locations (NVD).

The vulnerability stems from improper input sanitization in the ZipFile class's extract and extractall methods. The issue is specifically located in zip.py where the code uses os.path.join to combine unsanitized user input with the intended extraction path, making it susceptible to directory traversal attacks. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Issue, NVD).

The vulnerability allows attackers to write files to arbitrary locations on the disk, regardless of the target path specified by the developer. For example, it could be exploited to overwrite sensitive files such as the authorized_keys file in a user's home directory, potentially enabling unauthorized SSH access to the affected server (GitHub Issue).

A fix for this vulnerability has been proposed in pull request #41, which implements additional filename sanitization logic borrowed from the pyzipper project. The fix includes a new sanitize_filename method to prevent directory traversal attacks (GitHub PR).