Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Zip Slip Path Traversal in coder/code-marketplace
Summary
A Zip Slip (CWE-22) vulnerability in coder/code-marketplace ≤ v2.4.1 allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path.
Root Cause
ExtractZip passed the raw, attacker-controlled zf.Name to a caller-supplied callback:
return false, fn(zf.Name, zr) // zf.Name not sanitizedAddExtension constructed the output path with filepath.Join and no boundary check:
path := filepath.Join(dir, name) // zip loop
path := filepath.Join(dir, file.RelativePath) // extra files loopfilepath.Clean resolved .. lexically but did not confine the result to dir:
filepath.Join("/srv/ext/pub/1.0", "../../../../etc/cron.d/evil")
→ "/etc/cron.d/evil"Attack Scenario
An authenticated user (any upload-capable role) would submit a VSIX containing path-traversal entries.
On extraction, files would land at attacker-chosen paths writable by the marketplace process, enabling persistence (cron/init injection), SSH key injection, ld.so.preload hijacking, or binary overwrite depending on process privileges.
Fix
Addressed in https://github.com/coder/code-marketplace/releases/tag/v2.4.2
Recognition
Coder would like to thank Kandlaguduru Vamsi for responsibly disclosing this issue in accordance with https://coder.com/security/policy
AnalysisAI
Path traversal in Coder code-marketplace ≤ v2.4.1 allows authenticated users to write arbitrary files outside the extension directory during VSIX extraction. The ExtractZip function passes unsanitized zip entry names containing '..' sequences to filepath.Join, which resolves parent directory references without confining output to the intended base path. Attackers can inject malicious cron jobs, SSH keys, or overwrite binaries depending on process privileges. Fixed in v2.4.2. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists.
Technical ContextAI
This is a classic Zip Slip vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in a Go-based Visual Studio Code extension marketplace implementation. The affected package (pkg:go/github.com/coder/code-marketplace) processes VSIX files, which are standard zip archives. The vulnerable code chain involves two functions: ExtractZip passes raw zip entry names (zf.Name) directly to a callback without sanitization, and AddExtension constructs filesystem paths using Go's filepath.Join with these untrusted inputs. While filepath.Join applies filepath.Clean to resolve '..' sequences lexically, it does not validate that the resulting absolute path remains within the intended base directory. For example, filepath.Join('/srv/ext/pub/1.0', '../../../../etc/cron.d/evil') correctly resolves to '/etc/cron.d/evil', escaping the intended extraction boundary. This is a common pitfall in archive extraction implementations across languages-path normalization alone does not provide confinement guarantees.
RemediationAI
Upgrade to code-marketplace version 2.4.2 immediately, released at https://github.com/coder/code-marketplace/releases/tag/v2.4.2. The fix (commit 988440dee05fceef8400ed725badc604dbf90792 at https://github.com/coder/code-marketplace/commit/988440dee05fceef8400ed725badc604dbf90792) implements boundary checking to ensure extracted paths remain within the intended base directory after path resolution. Organizations unable to upgrade immediately should restrict VSIX upload permissions to highly trusted administrators only and review existing uploaded extensions for malicious path-traversal entries. Post-upgrade, audit filesystem locations writable by the marketplace process for unexpected files written before patching, particularly /etc/cron.d, /etc/init.d, user SSH directories, and application binary paths. No effective workaround exists beyond restricting upload access, as the vulnerability is in core extraction logic.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19537
GHSA-8x9r-hvwg-c55h