# BentoML — Path traversal risk in Yatai tar extraction path
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: BentoML | platform: huntr | repo: bentoml/BentoML | commit: 2026-02-12-scan

````
Repository URL: https://github.com/bentoml/BentoML
Package Manager: pip
Version Affected: latest (observed in 2026-02-12 scan)
Vulnerability Type: Path Traversal
CVSS:
  Attack Vector: Network
  Attack Complexity: High
  Privileges Required: High
  User Interaction: None
  Scope: Changed
  Confidentiality: Low
  Integrity: High
  Availability: Low
Title: Yatai extraction path writes tar member names without explicit traversal guard
Impact: Potential arbitrary file write in contexts that trust archive content from compromised/malicious upstream service. Could lead to config overwrite or code execution depending on writable paths.
Description:

# Description

A Yatai-related extraction flow writes tar member names without an explicit safe-extract path guard, unlike other BentoML extraction paths that use dedicated safe extraction helpers.

This creates a potential traversal risk if a malicious archive with `../` member names is processed and underlying filesystem wrapper does not strictly block traversal.

# Proof of Concept

1. Provide/serve crafted tar archive with traversal entry names (e.g., `../../tmp/pwned`).
2. Trigger Yatai extraction path.
3. Verify whether write occurs outside expected extraction root.

Expected vulnerable behavior (if not blocked by runtime FS layer): archive member path escapes intended directory.

### Impact

Potential arbitrary file write in contexts that trust archive content from compromised/malicious upstream service. Could lead to config overwrite or code execution depending on writable paths.

### Occurrences

```
Permalink: https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/cloud/yatai.py#L539
Description: tar member name handling lacks explicit safe_extract-style path validation
```

### References

```
URL: https://cwe.mitre.org/data/definitions/22.html
Name: CWE-22: Path Traversal

URL: https://portswigger.net/web-security/file-path-traversal
Name: File path traversal primer
```

Occurrences:
  Permalink: https://github.com/bentoml/BentoML/blob/main/src/bentoml/_internal/cloud/yatai.py#L539
  Description: tar member name handling lacks explicit safe_extract-style path validation
References:
  URL: https://cwe.mitre.org/data/definitions/22.html
  Name: CWE-22: Path Traversal
  URL: https://portswigger.net/web-security/file-path-traversal
  Name: File path traversal primer
````