Skip to main content

CVE-2026-35454

| EUVDEUVD-2026-19537 HIGH
Path Traversal (CWE-22)
2026-04-04 https://github.com/coder/code-marketplace GHSA-8x9r-hvwg-c55h
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 17:07 vuln.today
cvss_changed
EUVD ID Assigned
Apr 04, 2026 - 06:30 euvd
EUVD-2026-19537
Analysis Generated
Apr 04, 2026 - 06:30 vuln.today
Patch released
Apr 04, 2026 - 06:30 nvd
Patch available
CVE Published
Apr 04, 2026 - 06:26 nvd
HIGH 8.7

DescriptionGitHub Advisory

Zip Slip Path Traversal in coder/code-marketplace

Summary

A Zip Slip (CWE-22) vulnerability in coder/code-marketplace ≤ v2.4.1 allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path.

Root Cause

ExtractZip passed the raw, attacker-controlled zf.Name to a caller-supplied callback:

go
return false, fn(zf.Name, zr)  // zf.Name not sanitized

AddExtension constructed the output path with filepath.Join and no boundary check:

go
path := filepath.Join(dir, name)              // zip loop
path := filepath.Join(dir, file.RelativePath) // extra files loop

filepath.Clean resolved .. lexically but did not confine the result to dir:

filepath.Join("/srv/ext/pub/1.0", "../../../../etc/cron.d/evil")
  → "/etc/cron.d/evil"

Attack Scenario

An authenticated user (any upload-capable role) would submit a VSIX containing path-traversal entries.

On extraction, files would land at attacker-chosen paths writable by the marketplace process, enabling persistence (cron/init injection), SSH key injection, ld.so.preload hijacking, or binary overwrite depending on process privileges.

Fix

Addressed in https://github.com/coder/code-marketplace/releases/tag/v2.4.2

Recognition

Coder would like to thank Kandlaguduru Vamsi for responsibly disclosing this issue in accordance with https://coder.com/security/policy

AnalysisAI

Path traversal in Coder code-marketplace ≤ v2.4.1 allows authenticated users to write arbitrary files outside the extension directory during VSIX extraction. The ExtractZip function passes unsanitized zip entry names containing '..' sequences to filepath.Join, which resolves parent directory references without confining output to the intended base path. Attackers can inject malicious cron jobs, SSH keys, or overwrite binaries depending on process privileges. Fixed in v2.4.2. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists.

Technical ContextAI

This is a classic Zip Slip vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in a Go-based Visual Studio Code extension marketplace implementation. The affected package (pkg:go/github.com/coder/code-marketplace) processes VSIX files, which are standard zip archives. The vulnerable code chain involves two functions: ExtractZip passes raw zip entry names (zf.Name) directly to a callback without sanitization, and AddExtension constructs filesystem paths using Go's filepath.Join with these untrusted inputs. While filepath.Join applies filepath.Clean to resolve '..' sequences lexically, it does not validate that the resulting absolute path remains within the intended base directory. For example, filepath.Join('/srv/ext/pub/1.0', '../../../../etc/cron.d/evil') correctly resolves to '/etc/cron.d/evil', escaping the intended extraction boundary. This is a common pitfall in archive extraction implementations across languages-path normalization alone does not provide confinement guarantees.

RemediationAI

Upgrade to code-marketplace version 2.4.2 immediately, released at https://github.com/coder/code-marketplace/releases/tag/v2.4.2. The fix (commit 988440dee05fceef8400ed725badc604dbf90792 at https://github.com/coder/code-marketplace/commit/988440dee05fceef8400ed725badc604dbf90792) implements boundary checking to ensure extracted paths remain within the intended base directory after path resolution. Organizations unable to upgrade immediately should restrict VSIX upload permissions to highly trusted administrators only and review existing uploaded extensions for malicious path-traversal entries. Post-upgrade, audit filesystem locations writable by the marketplace process for unexpected files written before patching, particularly /etc/cron.d, /etc/init.d, user SSH directories, and application binary paths. No effective workaround exists beyond restricting upload access, as the vulnerability is in core extraction logic.

Share

CVE-2026-35454 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy