Path Traversal in Ghidra Extension Installer

Executive Summary

CVE-2026-52752 is a path traversal vulnerability in Ghidra versions before 12.0.2, specifically in the extension installer component.

The vulnerability occurs because the installer does not properly validate ZIP entry names during extraction. Attackers can craft malicious extension ZIP files containing traversal sequences like "../" in filenames.

This allows the attacker to write arbitrary files outside the intended extension directory, potentially overwriting important files in the user's system.

As a result, this can enable arbitrary code execution on the victim's machine.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to write arbitrary files outside the intended directory and execute arbitrary code, which can lead to unauthorized access and manipulation of data.

Such unauthorized access and potential data manipulation could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data confidentiality, integrity, and availability.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized file writes outside the intended directory.

An attacker can place malicious files such as scripts or configuration files (e.g., ".bashrc" or "EXPLOIT.sh") in sensitive locations like the user's home directory.

This can lead to arbitrary code execution without requiring further user interaction, potentially allowing attackers to run malicious payloads on the affected system.

The overall impact affects confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves malicious ZIP archives containing path traversal sequences like "../" in filenames used by Ghidra's extension installer. Detection can focus on identifying suspicious ZIP files or unexpected files placed outside the intended extension directories.

You can scan for recently extracted files in user home directories or other unexpected locations that might have been created by a malicious extension installation.

• Check for suspicious files such as ".bashrc" or "EXPLOIT.sh" in user home directories that could have been placed by the exploit.
• Use commands to search for ZIP files containing traversal sequences in their entries, for example:
• unzip -l suspicious_extension.zip | grep "\.\./"
• Find recently modified or created files outside the expected Ghidra extension directory:
• find $HOME -type f -mtime -7

Monitoring logs for extension installation activities and unexpected file writes during these operations can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Ghidra to version 12.0.2 or later, where the vulnerability has been fixed by validating ZIP entry paths before extraction.

Until the upgrade is applied, avoid installing extensions from untrusted sources to prevent exploitation via malicious ZIP archives.

Additionally, review and remove any suspicious files that may have been placed outside the intended directories by previous exploitation attempts.

Useful 0 Not Useful 0