Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29065 is a critical Zip Slip vulnerability in the backup restore functionality of the changedetection.io application (versions prior to 0.54.4). The vulnerability occurs because the application uses Python's zipfile.extractall() method without validating file paths inside uploaded ZIP archives. This allows an attacker to craft ZIP files containing path traversal sequences (like ../) that escape the intended extraction directory and overwrite arbitrary files on the server."}, {'type': 'paragraph', 'content': 'An attacker can upload a malicious ZIP archive via the backup restore endpoint containing files with paths designed to overwrite sensitive files outside the extraction directory. This can lead to overwriting critical files such as the Flask secret key, application settings, or watch configurations, enabling session forgery, authentication bypass, backdoor injection, and full compromise of the application configuration.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Overwriting the Flask secret key file, which can enable attackers to forge sessions and bypass authentication.
• Modifying application configuration files to disable passwords or inject backdoors.
• Injecting malicious watch configurations that could alter the behavior of the application.
• Overall, it can lead to full compromise of the application by allowing arbitrary file overwrite on the server.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring the backup restore process for suspicious ZIP files containing path traversal sequences such as '../' in their file paths. Specifically, checking the extraction directory for files that have been written outside the intended directory (e.g., files like '../secret.txt' or '../changedetection.json') can indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'You can verify if malicious ZIP archives have been uploaded by inspecting the backup restore endpoint usage and examining the contents of the extraction directory for unexpected files outside the normal scope.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check for suspicious files outside the expected extraction directory (assuming /datastore/ is the extraction path):'}, {'type': 'list_item', 'content': 'find /datastore/ -name "*" -exec sh -c \'case "$1" in *../*) echo "Suspicious path traversal file: $1" ;; esac\' sh {} \\;'}, {'type': 'list_item', 'content': 'Manually inspect the contents of the extraction directory for files like secret.txt, changedetection.json, or watch.json that appear outside their expected locations.'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to the backup restore endpoint (/backups/restore) for uploads of ZIP files with unusual sizes or names.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade changedetection.io to version 0.54.4 or later, where the vulnerability has been patched.

The patch includes validation of ZIP file extraction paths to prevent path traversal, rejecting ZIP files that attempt to write outside the intended directory.

Additional mitigations in the patch include:

• Rejecting ZIP files that exceed configured maximum decompressed size to prevent zip bomb attacks.
• Limiting the maximum upload size of backup ZIP files.
• Excluding sensitive files like secret.txt from backups to avoid secret leakage.
• Validating directory names during restore to only accept UUID v4 formatted directories.

If upgrading immediately is not possible, restrict access to the backup restore endpoint to trusted users only and monitor for suspicious uploads.

Useful 0 Not Useful 0