Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts.
AnalysisAI
Path traversal in Detect-It-Easy archive extraction allows local attackers to write arbitrary files outside intended directories and achieve persistent code execution by overwriting user startup scripts. Affects all versions prior to 3.21. Exploitation requires user interaction to open a specially crafted archive file. Vendor-released patch available in version 3.21, with fixes applied across multiple repository components (DIE-engine, Formats, XArchive). No public exploit identified at time of analysis, though the vulnerability class is well-understood and exploitation techniques are documented.
Technical ContextAI
Detect-It-Easy (DiE) is a cross-platform file format analyzer and signature scanner used by malware researchers and reverse engineers to identify executable file types. The vulnerability resides in the archive extraction functionality within the XArchive and XFormats libraries (horsicq/Formats and horsicq/XArchive repositories). The flaw is a classic CWE-23 Relative Path Traversal issue where insufficient path normalization during archive extraction allows entries containing relative traversal sequences (../) or absolute paths to write files outside the intended extraction directory. The commit diffs show the fix implements canonical path validation by computing a clean absolute path for both the extraction root (sCanonicalRoot) and each archive entry file path (sResultFileName), then validating that the entry path starts with the canonical root path before extraction proceeds. This prevents traversal attacks regardless of platform-specific path separators or encoding tricks.
RemediationAI
Upgrade to Detect-It-Easy version 3.21 or later immediately. Version 3.21 contains comprehensive fixes across three repository components with commits cbbe1688e58ffd430d284bf65f336973f083db69 and 7fd300b926daf19707b2a36f0abe8b60a51308ee in DIE-engine, 56cdf50ee3c72c56284e2819b23e98332842d259 in Formats, and 6a2aa84c2fd120b704f76bb5c5ee3e9b5a7a0fcc in XArchive. Platform-specific installers and AppImage available at https://github.com/horsicq/DIE-engine/releases/tag/3.21. If immediate upgrade is not feasible, implement defense-in-depth controls: restrict Detect-It-Easy to a sandboxed environment (container, VM, or AppArmor/SELinux profile) with read-only access to critical system directories and startup script locations, process untrusted archives only in isolated disposable environments, and monitor file system activity during archive extraction for writes outside expected paths using auditd or similar tooling. Note that sandboxing trades operational convenience for security and may interfere with legitimate DiE workflows that require file system access. No effective workaround exists for the core vulnerability without patching - file extension filtering or archive format restrictions are insufficient as the traversal occurs during extraction logic regardless of archive type.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27081