Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-66945 is a path traversal vulnerability in the ZIP extraction API of Zdir Pro version 4.x, a private file sharing and storage application. When a specially crafted ZIP archive containing directory traversal sequences like "../" is processed by the backend API endpoint at /api/extract, the application fails to properly sanitize or canonicalize file paths.'}, {'type': 'paragraph', 'content': 'This improper handling allows files to be written outside the intended extraction directory, leading to arbitrary file overwrite. The vulnerability arises because the function responsible for joining file paths does not clean dangerous path characters, and the extracted paths are used directly without validation.'}, {'type': 'paragraph', 'content': 'As a result, an authenticated attacker can craft a malicious ZIP archive that overwrites arbitrary files on the server filesystem, potentially enabling remote code execution.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including arbitrary file overwrite on the server hosting Zdir Pro. An attacker with authentication can upload a crafted ZIP file that writes files outside the intended directory.

Such arbitrary file overwrites can lead to remote code execution, allowing the attacker to execute malicious code on the server, potentially compromising the entire system.

This can result in data loss, unauthorized access, system compromise, and disruption of services.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the ZIP extraction API endpoint at /api/extract with specially crafted ZIP archives containing directory traversal sequences such as "../".'}, {'type': 'paragraph', 'content': 'A practical detection method involves uploading a malicious ZIP file via the administration panel’s file upload section and observing if files are written outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar HTTP clients to send a crafted ZIP file to the /api/extract endpoint and monitor the filesystem for unexpected file creation outside the target directory.'}, {'type': 'list_item', 'content': "Use curl to upload a crafted ZIP file: curl -X POST -F '[email protected]' https://your-zdir-instance/api/extract"}, {'type': 'list_item', 'content': 'Check for unexpected files outside the extraction directory, e.g., ls /tmp/evil.txt or other suspicious paths.'}, {'type': 'list_item', 'content': 'Monitor logs and filesystem changes during extraction to detect arbitrary file writes.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include blocking ZIP entries that contain absolute paths or parent directory traversal sequences such as "../" before extraction.'}, {'type': 'paragraph', 'content': 'Validate and sanitize all input filenames in ZIP archives to prevent directory traversal.'}, {'type': 'paragraph', 'content': 'Normalize and canonicalize extraction paths to ensure files are extracted only within the intended directory.'}, {'type': 'paragraph', 'content': 'Enforce sandbox boundaries so that all extracted files remain confined within a predefined root directory.'}, {'type': 'paragraph', 'content': 'Use secure ZIP handling libraries that provide built-in protections against path traversal.'}, {'type': 'paragraph', 'content': 'Apply defense-in-depth strategies when processing untrusted archives, such as running extraction in isolated environments or containers.'}, {'type': 'paragraph', 'content': 'Currently, no official fix is available for Zdir Pro 4.x, so these mitigations are critical to reduce risk.'}] [2]

Useful 0 Not Useful 0