embedded-postgres uses commons-compress's TarArchiveInputStream to unpack the postgres-Binary. The latest published version of embedded-postgres is 1.3.0 which uses commons-compress 1.20.

Four CVEs have been published for commons-compress 1.20 recently.

1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35515
2. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35516
3. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35517
4. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36090

According to https://issues.apache.org/jira/browse/COMPRESS-586 all of them had been documented to be fixed in 1.21 already but the documentation has disappeared. I can only find the fix for CVE-2021-35516:
https://issues.apache.org/jira/browse/COMPRESS-542.

Please provide an new release of embedded-postgres with an updated version of commons-compress. Either 1.21 or newer, dependent on the feedback of COMPRESS-586.