PT-2026-30337 · Go · Github.Com/Coder/Code-Marketplace
Published
2026-04-04
·
Updated
2026-04-04
·
CVE-2026-35454
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Zip Slip Path Traversal in coder/code-marketplace
Summary
A Zip Slip (CWE-22) vulnerability in
coder/code-marketplace ≤ v2.4.1 allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path.Root Cause
ExtractZip passed the raw, attacker-controlled zf.Name to a caller-supplied callback:return false, fn(zf.Name, zr) // zf.Name not sanitizedAddExtension constructed the output path with filepath.Join and no boundary check:path := filepath.Join(dir, name) // zip loop
path := filepath.Join(dir, file.RelativePath) // extra files loopfilepath.Clean resolved .. lexically but did not confine the result to dir:filepath.Join("/srv/ext/pub/1.0", "../../../../etc/cron.d/evil")
→ "/etc/cron.d/evil"Attack Scenario
An authenticated user (any upload-capable role) would submit a VSIX containing path-traversal entries.
On extraction, files would land at attacker-chosen paths writable by the marketplace process, enabling persistence (cron/init injection), SSH key injection,
ld.so.preload hijacking, or binary overwrite depending on process privileges.Fix
Recognition
Coder would like to thank Kandlaguduru Vamsi for responsibly disclosing this issue in accordance with https://coder.com/security/policy
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Coder/Code-Marketplace