CVE-2026-2818
Zip-Slip Path Traversal in Spring Data Geode Import on Windows
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: HeroDevs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spring | datageode | * |
| spring | datageode | From 1.7.0 (inc) to 2.2.13 (inc) |
| spring | datageode | From 2.0.0 (inc) to 2.7.18 (inc) |
| spring | datagemfire | From 1.7.0 (inc) to 2.2.13 (inc) |
| spring | datagemfire | From 2.0.0 (inc) to 2.7.18 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2818 is a high-severity zip-slip path traversal vulnerability in the snapshot import functionality of Spring Data for Apache Geode and Spring Data GemFire. The issue arises because the filename sanitization logic depends on the platform's native path separator to remove directory components from ZIP entry names."}, {'type': 'paragraph', 'content': 'On Linux and macOS, which use \'/\' as the path separator matching ZIP specifications, this sanitization works correctly. However, on Windows, the native separator is \'\\\' which does not match the forward slashes used in ZIP entries. As a result, path traversal sequences like "../../../../" in ZIP entries are not detected on Windows.'}, {'type': 'paragraph', 'content': 'This allows an attacker who supplies a crafted archive during snapshot import to write files outside the intended extraction directory, potentially leading to arbitrary file writes to locations accessible by the application.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory when importing a crafted ZIP or JAR archive on a Windows system running the affected Spring Data Geode or GemFire application.
The potential impacts include code execution, data corruption, or persistence through malicious startup scripts if the attacker can write files to locations accessible by the application.
Exploitation requires the application to be running on Windows, importing an attacker-controlled archive, and having write permissions to the target paths.
Mitigations include validating the integrity and origin of snapshot archives before import, avoiding untrusted snapshot archives, and running the application with minimal filesystem permissions to limit the impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises when importing attacker-controlled ZIP or JAR archives containing path traversal sequences that are not properly sanitized on Windows systems. Detection involves monitoring or inspecting snapshot import activities for suspicious ZIP entries with path traversal patterns such as "../../../../".'}, {'type': 'paragraph', 'content': 'Since the vulnerability is specific to Windows OS and the snapshot import functionality, you can detect potential exploitation by examining the contents of ZIP or JAR files before import for entries with directory traversal sequences.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious ZIP entries on Windows include using PowerShell or command-line tools to list archive contents and search for path traversal patterns:'}, {'type': 'list_item', 'content': 'Using PowerShell to list ZIP contents and filter for traversal sequences:\n\n```powershell\nAdd-Type -AssemblyName System.IO.Compression.FileSystem\n$zip = [System.IO.Compression.ZipFile]::OpenRead("path_to_archive.zip")\n$zip.Entries | Where-Object { $_.FullName -match \'\\.\\./|\\.\\.\\\\\' } | Select-Object FullName\n$zip.Dispose()\n```'}, {'type': 'list_item', 'content': 'Using 7-Zip command line to list archive contents and grep for traversal:\n\n```cmd\n7z l path_to_archive.zip | findstr "..\\..\\"\n```'}, {'type': 'paragraph', 'content': 'Additionally, monitoring application logs for errors or unusual file writes during snapshot import on Windows systems may help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Validate the integrity and origin of snapshot archives before importing them to ensure they come from trusted sources.
- Avoid importing untrusted or unauthenticated snapshot archives.
- Run the application with minimal filesystem permissions to limit the impact of any arbitrary file writes caused by exploitation.
- Consider upgrading to a fixed version if available, or use the commercial Never-Ending Support (NES) version offered by HeroDevs for Spring Data Geode, which includes the fix.