A critical path traversal flaw, known as Zip Slip (CWE-22), affects coder/code-marketplace versions up to 2.4.1. Attackers with upload access can craft malicious VSIX files—Microsoft’s format for VS Code extensions—to overwrite files anywhere the marketplace process can write. This includes sensitive system paths if the service runs with elevated privileges. Coder patched it in v2.4.2, crediting researcher Kandlaguduru Vamsi for disclosure.
Zip Slip exploits zip archives’ ability to store arbitrary pathnames, including “../” sequences. In code-marketplace, the ExtractZip function hands raw, attacker-controlled entry names (zf.Name) directly to a callback. That callback, in AddExtension, builds output paths using filepath.Join(dir, name) without validating the result stays inside dir. Go’s filepath.Join cleans “..” components but doesn’t enforce boundaries—if dir is “/srv/ext/pub/1.0” and name is “../../../../etc/cron.d/evil”, the result becomes “/etc/cron.d/evil”.
return false, fn(zf.Name, zr) // zf.Name not sanitized
path := filepath.Join(dir, name) // zip loop
path := filepath.Join(dir, file.RelativePath) // extra files loop
This isn’t novel—Zip Slip has burned countless apps since 2018, from Jenkins to Apache projects. Coder’s marketplace handles VSIX uploads for their remote VS Code platform (code-server), letting teams share extensions in air-gapped or enterprise setups. But any authenticated user with upload rights exploits it. No public PoC exists yet, but replication takes minutes: zip a VSIX with traversal payloads and upload.
Attack Implications
Damage scales with the marketplace process’s privileges. Running as root? Attackers inject cron jobs, SSH keys into /root/.ssh, or ld.so.preload hooks for rootkit persistence. Non-root but writable dirs? Still risky—overwrite configs, binaries, or drop webshells if tied to a web server. In Coder deployments, marketplace often runs under a service account with broad filesystem access for extension storage.
Why this matters: Coder targets secure, self-hosted dev environments. A compromised marketplace turns it into an entry point for lateral movement. Teams using internal extension repos face insider threats or supply-chain risks if untrusted users upload. Check your setup—does marketplace bind to sensitive volumes? Audit upload roles. Post-exploit, attackers persist quietly; detection needs filesystem monitoring, like auditd or Falco rules on unexpected writes.
Beyond immediate RCE, this highlights zip handling pitfalls. Languages like Go lack safe extractors out-of-box—libs like archive/zip expect callers to sanitize. Best practice: resolve paths against a base with filepath.Abs, then check prefix matches. Or use libraries like github.com/klauspost/compress with built-in safeguards.
Fix and Next Steps
Upgrade to v2.4.2 immediately—it adds path sanitization before writing. Verify via go list -m github.com/coder/code-marketplace@latest or check the release at github.com/coder/code-marketplace/releases/tag/v2.4.2. Coder’s policy page confirms responsible disclosure process, which Vamsi followed.
Don’t stop at patching. Rotate creds if exploited. Scan deployments with tools like Trivy or Grype for similar vulns (e.g., search Zip Slip CVEs). For custom extractors, test with payloads like ../../../../../etc/passwd or absolute paths. In containerized setups, use read-only roots and seccomp to limit writes.
Coder moves fast—v2.4.1 shipped recently, and they fixed in days. Fair play, but this underscores auditing third-party zip code. If you’re building marketplaces or unpackers, own the sanitization; don’t trust path APIs. Incidents like this cost hours in forensics—proactive bounds-checking saves them.
