{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/code-marketplace/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["zip-slip","path-traversal","code-marketplace","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA Zip Slip vulnerability (CVE-2026-35454) exists in the Coder code-marketplace application, specifically in versions up to 2.4.1. The vulnerability stems from improper sanitization of zip entry names during VSIX file extraction, which allows an attacker to write files to arbitrary locations on the server. This flaw, discovered by Kandlaguduru Vamsi and detailed in GHSA-8x9r-hvwg-c55h, can be exploited by any authenticated user with upload privileges. Successful exploitation could lead to persistence via cron/init injection, SSH key injection, \u003ccode\u003eld.so.preload\u003c/code\u003e hijacking, or binary overwrite. The vulnerability was patched in version 2.4.2. Defenders should upgrade to the latest version of the code-marketplace application to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user with upload privileges logs into the code-marketplace application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious VSIX file containing zip entries with path traversal sequences (e.g., \u0026ldquo;../../../etc/cron.d/evil\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious VSIX file through the application\u0026rsquo;s extension upload functionality.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eExtractZip\u003c/code\u003e function processes the uploaded VSIX file without proper sanitization of zip entry names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilepath.Join\u003c/code\u003e function constructs the output path using the unsanitized zip entry name and a base directory.\u003c/li\u003e\n\u003cli\u003ePath traversal sequences like \u003ccode\u003e..\u003c/code\u003e are resolved by \u003ccode\u003efilepath.Clean\u003c/code\u003e, but the resulting path is not checked against the intended base directory, allowing it to escape.\u003c/li\u003e\n\u003cli\u003eThe application writes the extracted file to an attacker-controlled location on the server\u0026rsquo;s file system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, privilege escalation, or arbitrary code execution by overwriting critical system files or injecting malicious code into system configurations like cron jobs or SSH authorized keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this Zip Slip vulnerability allows attackers to write arbitrary files to the underlying system. An attacker can achieve persistence by injecting malicious cron jobs or modifying system initialization scripts. Privilege escalation is possible via SSH key injection or by overwriting binaries with malicious versions. The impact ranges from system compromise to data exfiltration and denial of service. While the number of victims is unknown, any organization using vulnerable versions of the Coder code-marketplace application is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the coder/code-marketplace application to version 2.4.2 or later to remediate CVE-2026-35454.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on critical system directories (e.g., /etc/cron.d, /root/.ssh) using a file_event log source to detect unauthorized file modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious File Creation in Sensitive Directories\u0026rdquo; to detect potential exploitation attempts based on file creation events.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and deploy the provided Sigma rule \u0026ldquo;Detect VSIX Uploads with Path Traversal\u0026rdquo; to identify suspicious VSIX uploads containing path traversal sequences based on request parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:29:50Z","date_published":"2026-04-04T06:29:50Z","id":"/briefs/2026-06-code-marketplace-zip-slip/","summary":"A Zip Slip vulnerability in coder/code-marketplace allows authenticated users to upload malicious VSIX files containing path traversal entries, leading to arbitrary file writes outside the extension directory and potentially enabling persistence.","title":"Coder Code-Marketplace Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-code-marketplace-zip-slip/"}],"language":"en","title":"CraftedSignal Threat Feed — Code-Marketplace","version":"https://jsonfeed.org/version/1.1"}