Plattform
go
Komponente
github.com/coder/code-marketplace
Behoben in
2.4.3
1.2.3-0.20260402184705-988440dee05f
CVE-2026-35454 describes a Path Traversal vulnerability discovered in github.com/coder/code-marketplace versions up to v2.4.1. This flaw allows attackers to leverage specially crafted VSIX files to write arbitrary files outside the intended extension directory, potentially leading to code execution or data compromise. The vulnerability is fixed in version 1.2.3-0.20260402184705-988440dee05f.
The impact of this vulnerability is significant. An attacker can craft a malicious VSIX file that, when processed by coder/code-marketplace, will write files to arbitrary locations on the system. This could include overwriting critical system files, injecting malicious code into existing extensions, or gaining unauthorized access to sensitive data. The ability to write outside the designated extension directory bypasses security controls designed to isolate extensions and protect the underlying system. Successful exploitation could lead to complete system compromise, depending on the permissions of the process running coder/code-marketplace.
This vulnerability was publicly disclosed on 2026-04-04. Currently, there are no known active campaigns targeting this specific vulnerability. The existence of a public proof-of-concept is unknown at this time. The vulnerability's severity is rated HIGH (CVSS 7.5), indicating a reasonable probability of exploitation if left unaddressed. It is not listed on the CISA KEV catalog as of this writing.
Organizations utilizing github.com/coder/code-marketplace in their development environments, particularly those relying on VSIX file extensions for code or tool integration, are at risk. Environments with legacy configurations or those lacking robust input validation practices are especially vulnerable.
• linux / server:
find /opt/code-marketplace -name '*.zip' -exec grep -l '..\..' {} + | xargs ls -l• generic web:
curl -I 'http://your-code-marketplace-url/extensions/malicious.vsix' # Check for unusual response headers or file accessdisclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
The primary mitigation is to immediately upgrade coder/code-marketplace to version 1.2.3-0.20260402184705-988440dee05f or later. If upgrading is not immediately feasible, consider implementing stricter file access controls to limit the write permissions of the process running coder/code-marketplace. Additionally, implement input validation and sanitization on all uploaded VSIX files to prevent the inclusion of malicious paths. While a direct WAF rule is unlikely, a proxy could be configured to inspect VSIX file contents for suspicious path patterns before processing. After upgrading, confirm the fix by attempting to upload a test VSIX file containing a path traversal payload (e.g., ../../../../etc/passwd) and verifying that the file is not written to the intended location.
Actualice a la versión 2.4.2 o superior para mitigar la vulnerabilidad de deslizamiento de ruta Zip. Esta actualización corrige el problema al verificar los límites de los archivos extraídos de los archivos VSIX, evitando la escritura de archivos fuera del directorio de la extensión.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35454 is a Path Traversal vulnerability in github.com/coder/code-marketplace versions up to v2.4.1, allowing attackers to write arbitrary files via malicious VSIX files.
You are affected if you are using github.com/coder/code-marketplace version 2.4.1 or earlier.
Upgrade to version 1.2.3-0.20260402184705-988440dee05f or later. Consider temporary workarounds like input validation if immediate upgrade is not possible.
There are currently no known active campaigns exploiting CVE-2026-35454, but the vulnerability's severity warrants prompt remediation.
Refer to the official github.com/coder/code-marketplace repository and related security advisories for the most up-to-date information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.