Platform
go
Component
github.com/coder/code-marketplace
Fixed in
2.4.3
1.2.3-0.20260402184705-988440dee05f
CVE-2026-35454 describes a Path Traversal vulnerability discovered in github.com/coder/code-marketplace versions up to v2.4.1. This flaw allows attackers to leverage specially crafted VSIX files to write arbitrary files outside the intended extension directory, potentially leading to code execution or data compromise. The vulnerability is fixed in version 1.2.3-0.20260402184705-988440dee05f.
The core of this vulnerability lies in the ExtractZip function's handling of zip entry names. The function directly passes attacker-controlled zip entry names (zf.Name) to a callback function without proper sanitization or boundary checks. This allows an attacker to craft a VSIX file containing zip entries with malicious paths, such as those containing .. sequences. filepath.Join resolves these .. components, but it doesn't prevent the resulting path from escaping the base directory, enabling arbitrary file writes. Successful exploitation could allow an attacker to overwrite critical system files, inject malicious code into the application, or exfiltrate sensitive data. The potential impact is significant, as it could lead to complete system compromise.
This vulnerability was publicly disclosed on 2026-04-04. Currently, there are no known active campaigns targeting this specific vulnerability. The presence of a public proof-of-concept is unknown at this time. The CVSS score of 7.5 (HIGH) indicates a moderate probability of exploitation, particularly given the ease with which zip slip vulnerabilities can be exploited. It is advisable to prioritize patching or implementing mitigations to reduce the risk.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
The primary mitigation is to upgrade to version 1.2.3-0.20260402184705-988440dee05f or later. If an immediate upgrade is not feasible, consider implementing a temporary workaround by validating the zip entry names before passing them to the callback function. This validation should ensure that the resulting file path remains within the designated extension directory. Additionally, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious zip file extensions or patterns indicative of path traversal attempts. After upgrading, confirm the fix by attempting to upload a VSIX file with a malicious path (e.g., ../../../../etc/passwd) and verifying that the file write is prevented.
Actualice a la versión 2.4.2 o superior para mitigar la vulnerabilidad de deslizamiento de ruta Zip. Esta actualización corrige el problema al verificar los límites de los archivos extraídos de los archivos VSIX, evitando la escritura de archivos fuera del directorio de la extensión.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35454 is a Path Traversal vulnerability in github.com/coder/code-marketplace versions up to v2.4.1, allowing attackers to write arbitrary files via malicious VSIX files.
You are affected if you are using github.com/coder/code-marketplace version 2.4.1 or earlier.
Upgrade to version 1.2.3-0.20260402184705-988440dee05f or later. Consider temporary workarounds like input validation if immediate upgrade is not possible.
There are currently no known active campaigns exploiting CVE-2026-35454, but the vulnerability's severity warrants prompt remediation.
Refer to the official github.com/coder/code-marketplace repository and related security advisories for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.