Versions of ingest-file released before June 12th, 2025, contained a security vulnerability due to insecure handling of 7zip archives.
Summary
When processing 7zip archives, ingest-file followed symbolic links even if they were targeting files outside of the archive. A maliciously crafted archive would allow an attacker to access arbitrary files in the ingest-file container.
Depending on the exact configuration and deployment method, this might include:
- Access to files uploaded to Aleph if using the file archive (rather than object storage such as S3 or Google Cloud Storage) as the file archive is mounted into the container.
- Access to environment variables.
- Access to secrets mounted into the container.
Affected versions
This affects all versions of ingest-file prior to 4.1.2.
How to update
Please refer to the release notes of the patch release.
Credits
OCCRP would like to thank everyone who identified this vulnerability and contributed to its resolution:
- Responsibly disclosed by InterSecLab
- Patch by Alex Ștefănescu
- Research, Testing, Validation: Alex Ștefănescu, Simon Wörpel, Jan Strozyk, Friedrich Lindenberg