Plateforme
go
Composant
github.com/coder/code-marketplace
Corrigé dans
2.4.3
1.2.3-0.20260402184705-988440dee05f
CVE-2026-35454 describes a Path Traversal vulnerability discovered in github.com/coder/code-marketplace versions up to v2.4.1. This flaw allows attackers to leverage specially crafted VSIX files to write arbitrary files outside the intended extension directory, potentially leading to code execution or data compromise. The vulnerability is fixed in version 1.2.3-0.20260402184705-988440dee05f.
The core of this vulnerability lies in the ExtractZip function's handling of zip entry names. The function directly passes attacker-controlled zip entry names (zf.Name) to a callback function without proper sanitization or boundary checks. This allows an attacker to craft a VSIX file containing zip entries with malicious paths, such as those containing .. sequences. filepath.Join resolves these .. components, but it doesn't prevent the resulting path from escaping the base directory, enabling arbitrary file writes. Successful exploitation could allow an attacker to overwrite critical system files, inject malicious code into the application, or exfiltrate sensitive data. The potential impact is significant, as it could lead to complete system compromise.
This vulnerability was publicly disclosed on 2026-04-04. Currently, there are no known active campaigns targeting this specific vulnerability. The presence of a public proof-of-concept is unknown at this time. The CVSS score of 7.5 (HIGH) indicates a moderate probability of exploitation, particularly given the ease with which zip slip vulnerabilities can be exploited. It is advisable to prioritize patching or implementing mitigations to reduce the risk.
Organizations utilizing github.com/coder/code-marketplace in their development environments, particularly those relying on VSIX file extensions for code or tool integration, are at risk. Environments with legacy configurations or those lacking robust input validation practices are especially vulnerable.
• linux / server:
find /opt/code-marketplace -name '*.zip' -exec grep -l '..\..' {} + | xargs ls -l• generic web:
curl -I 'http://your-code-marketplace-url/extensions/malicious.vsix' # Check for unusual response headers or file accessdisclosure
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
CISA SSVC
The primary mitigation is to upgrade to version 1.2.3-0.20260402184705-988440dee05f or later. If an immediate upgrade is not feasible, consider implementing a temporary workaround by validating the zip entry names before passing them to the callback function. This validation should ensure that the resulting file path remains within the designated extension directory. Additionally, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious zip file extensions or patterns indicative of path traversal attempts. After upgrading, confirm the fix by attempting to upload a VSIX file with a malicious path (e.g., ../../../../etc/passwd) and verifying that the file write is prevented.
Actualice a la versión 2.4.2 o superior para mitigar la vulnerabilidad de deslizamiento de ruta Zip. Esta actualización corrige el problema al verificar los límites de los archivos extraídos de los archivos VSIX, evitando la escritura de archivos fuera del directorio de la extensión.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-35454 is a Path Traversal vulnerability in github.com/coder/code-marketplace versions up to v2.4.1, allowing attackers to write arbitrary files via malicious VSIX files.
You are affected if you are using github.com/coder/code-marketplace version 2.4.1 or earlier.
Upgrade to version 1.2.3-0.20260402184705-988440dee05f or later. Consider temporary workarounds like input validation if immediate upgrade is not possible.
There are currently no known active campaigns exploiting CVE-2026-35454, but the vulnerability's severity warrants prompt remediation.
Refer to the official github.com/coder/code-marketplace repository and related security advisories for the most up-to-date information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.