CVE-2026-35454
Code Extension Marketplace: Zip Slip Path Traversal
Description
# Zip Slip Path Traversal in coder/code-marketplace ## Summary A Zip Slip (CWE-22) vulnerability in `coder/code-marketplace` ≤ v2.4.1 allowed a malicious VSIX file to write arbitrary files outside the extension directory. `ExtractZip` passed raw zip entry names to a callback that wrote files via `filepath.Join` with no boundary check; `filepath.Join` resolved `..` components but did not prevent the result from escaping the base path. ## Root Cause `ExtractZip` passed the raw, attacker-controlled `zf.Name` to a caller-supplied callback: ```go return false, fn(zf.Name, zr) // zf.Name not sanitized ``` `AddExtension` constructed the output path with `filepath.Join` and no boundary check: ```go path := filepath.Join(dir, name) // zip loop path := filepath.Join(dir, file.RelativePath) // extra files loop ``` `filepath.Clean` resolved `..` lexically but did not confine the result to `dir`: ``` filepath.Join("/srv/ext/pub/1.0", "../../../../etc/cron.d/evil") → "/etc/cron.d/evil" ``` ## Attack Scenario An authenticated user (any upload-capable role) would submit a VSIX containing path-traversal entries. On extraction, files would land at attacker-chosen paths writable by the marketplace process, enabling persistence (cron/init injection), SSH key injection, `ld.so.preload` hijacking, or binary overwrite depending on process privileges. ## Fix Addressed in https://github.com/coder/code-marketplace/releases/tag/v2.4.2 ## Recognition Coder would like to thank [Kandlaguduru Vamsi](https://www.linkedin.com/in/vamsi-k-5419632a9/) for responsibly disclosing this issue in accordance with https://coder.com/security/policy
How to fix CVE-2026-35454
To remediate CVE-2026-35454, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.3-0.20260402184705-988440dee05f or later
Is CVE-2026-35454 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.