プラットフォーム
go
コンポーネント
github.com/tobychui/zoraxy
修正版
3.3.3
3.3.2
CVE-2026-33529 describes a Remote Code Execution (RCE) vulnerability within the configuration import endpoint of Zoraxy, a Go-based application. An authenticated attacker can leverage path traversal to write arbitrary files outside the designated configuration directory, potentially leading to full system compromise. This vulnerability affects versions prior to 3.3.2, and a patch has been released to address the issue.
The core of this vulnerability lies in the inadequate sanitization of zip entry names during the configuration import process. An attacker, after authenticating to the system, can craft a malicious zip file containing an entry name that bypasses the intended sanitization logic. By embedding ../ sequences within the entry name, the replacement mechanism fails to completely remove the path traversal characters, allowing the attacker to write files to arbitrary locations. This can be exploited to create a malicious plugin, effectively achieving remote code execution. The blast radius extends to the entire system, as successful exploitation grants the attacker control over the server hosting the Zoraxy instance.
CVE-2026-33529 was publicly disclosed on 2026-03-25. The CVSS score is LOW (3.3), suggesting a relatively low probability of exploitation in the wild. No public proof-of-concept (PoC) code has been identified as of this writing. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on authentication limits its immediate exploitability, but the potential for RCE remains a significant concern.
Organizations utilizing Zoraxy for configuration management, particularly those with custom plugins or integrations, are at risk. Shared hosting environments where multiple users have authenticated access to the Zoraxy instance are also particularly vulnerable, as a compromised user account could be leveraged to exploit this vulnerability.
• linux / server:
find /opt/zoraxy/config -type f -name '*passwd*'• linux / server:
journalctl -u zoraxy -g "path traversal"• generic web:
curl -I http://your-zoraxy-instance/api/conf/import | grep -i 'content-type: multipart/form-data'disclosure
エクスプロイト状況
EPSS
0.05% (17% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to immediately upgrade Zoraxy to version 3.3.2 or later, which includes the necessary fix for the path traversal vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting write access to the configuration directory to only the Zoraxy application user. Additionally, implement strict input validation on all user-supplied data, particularly during file uploads and imports. Monitor system logs for suspicious file creation activity within the configuration directory. After upgrading, confirm the fix by attempting a configuration import with a zip file containing a deliberately malicious entry name (e.g., conf/../../../../etc/passwd) and verifying that the file is not written to the intended location.
Actualice Zoraxy a la versión 3.3.2 o superior. Esta versión corrige la vulnerabilidad de path traversal que permite la ejecución remota de código. La actualización se puede realizar descargando la nueva versión desde el repositorio oficial y reemplazando los archivos existentes.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33529 is a Remote Code Execution vulnerability in Zoraxy versions prior to 3.3.2. An authenticated user can exploit path traversal during configuration import to write arbitrary files, potentially leading to RCE.
You are affected if you are running Zoraxy versions 3.3.1 or earlier and utilize the configuration import functionality. Upgrade to 3.3.2 or later to mitigate the risk.
Upgrade Zoraxy to version 3.3.2 or later. As a temporary workaround, restrict write access to the configuration directory and implement strict input validation.
There is currently no evidence of active exploitation in the wild, but the potential for RCE remains a significant concern.
Refer to the Zoraxy project's official repository and release notes for the advisory and detailed information regarding the fix: [https://github.com/tobychui/zoraxy](https://github.com/tobychui/zoraxy)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。