CVE-2026-35454
Zip Slip Vulnerability in Code Extension Marketplace Allows Arbitrary File Write
Publication date: 2026-04-06
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coder | code-marketplace | to 2.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, known as a Zip Slip, exists in the Code Extension Marketplace before version 2.4.2. It allows a malicious VSIX file to write arbitrary files outside the intended extension directory. The issue arises because the ExtractZip function passes raw zip entry names to a callback that writes files using filepath.Join without checking boundaries. Although filepath.Join resolves '..' components, it does not prevent the resulting path from escaping the base directory, enabling potential directory traversal and unauthorized file writes.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write files anywhere on the file system where the application has write permissions. This could lead to overwriting critical files, injecting malicious code, or compromising the integrity and security of the system running the Code Extension Marketplace.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Code Extension Marketplace to version 2.4.2 or later, where the Zip Slip vulnerability has been fixed.