The vulnerability stems from the snapshot recovery mechanism in qdrant/qdrant, which fails to properly validate input, specifically symlinks within snapshot archives. For reading, an attacker can add a symlink pointing to any file on the filesystem, which gets included in a new snapshot of the recovered collection. For writing, an attacker can exploit the predictable naming convention of directories during the unpacking of .tar files to redirect the extraction process to arbitrary locations, allowing for file write or overwrite. This can lead to information disclosure, data corruption, or even remote code execution if system binaries or scripts are targeted.

An attacker first creates a malicious snapshot containing symlinks to target files or directories for reading or writing. They then upload this snapshot to the vulnerable qdrant instance, triggering the recovery process. For reading, the contents of the symlinked file are included in a new snapshot created for the recovered collection. For writing, the attacker's payload within a .tar file is extracted to the symlinked location, potentially overwriting critical files or deploying malicious scripts.

Any instance of qdrant/qdrant version 1.9.0-dev that allows users to upload and recover collections from snapshots is vulnerable. This primarily affects server administrators and potentially any user with access to the qdrant service, depending on the permissions required to upload snapshots.