Platform
other
Component
devtoys
Fixed in
2.0.1
CVE-2026-22685 describes a Path Traversal vulnerability discovered in DevToys, a desktop application for developers. This flaw allows attackers to overwrite arbitrary files on a user’s system by crafting malicious extension packages. The vulnerability affects versions 2.0.0.0 through 2.0.8.0, and a fix is available in version 2.0.9.0.
The core of this vulnerability lies in DevToys’ extension installation process. When handling NUPKG archive files, the application fails to adequately validate file paths within the archive. An attacker can exploit this by including specially crafted file entries, such as ../../…/target-file, within a malicious extension package. This bypasses the intended file extraction directory, allowing the attacker to write files to arbitrary locations on the user’s system. The potential impact is significant, as an attacker could overwrite critical system files, inject malicious code, or gain persistent access to the affected machine, effectively compromising the user’s environment. This is particularly concerning given DevToys' role as a developer tool, potentially granting access to sensitive project files and credentials.
CVE-2026-22685 was publicly disclosed on 2026-01-10. There is no indication of this vulnerability being actively exploited at this time, nor is it currently listed on CISA KEV. The EPSS score is likely to be low due to the lack of public exploits and the need for a crafted extension package, but the potential impact warrants attention. Public proof-of-concept code is not currently available.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22685 is to immediately upgrade DevToys to version 2.0.9.0 or later, which contains the necessary fix. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider isolating DevToys from untrusted networks and disabling the installation of extensions from unknown sources. While a direct WAF rule is unlikely, monitoring for unusual file creation activity within the DevToys installation directory could provide an early warning sign. After upgrading, verify the fix by attempting to install a known malicious extension package (in a controlled environment) and confirming that file extraction is restricted to the intended extensions directory.
Update DevToys to version 2.0.9.0 or later. Download the latest version from the official website or through the update mechanism within the application. This corrects the path traversal vulnerability when installing extensions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22685 is a Path Traversal vulnerability affecting DevToys versions 2.0.0.0 through 2.0.8.0, allowing attackers to overwrite files by crafting malicious extension packages.
You are affected if you are using DevToys versions 2.0.0.0 to 2.0.8.0. Upgrade to 2.0.9.0 or later to mitigate the risk.
Upgrade DevToys to version 2.0.9.0 or later. If immediate upgrade is not possible, isolate DevToys and disable extension installation from untrusted sources.
There is currently no evidence of CVE-2026-22685 being actively exploited.
Refer to the official DevToys release notes and security advisories on the developer's website for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.