SzafirHost verifies the integrity of downloaded native library archives by parsing the Central Directory with one parser, but extracts libraries using a second parser that reads sequentially from local file headers. An attacker who can control the served archive can inject a malicious DLL, SO, or DYLIB as a local‑file‑header entry placed after the last legitimate entry and before the Central Directory. Because the signature verifier never inspects the injected entry, the archive passes validation, while the extractor writes the malicious library to the system’s temporary native directory without performing any hash or signature check. This flaw allows an attacker to place executable code in the local file system, leading to remote code execution on the host running SzafirHost. The vulnerability is caused by the misuse of two different parsing mechanisms for the same archive format, which creates a mismatch between verification and extraction. This is a classic case of CWE‑434, Untrusted File Type. The lack of a single authoritative parsing and validation step allows a crafted archive to bypass security checks. Attackers would need to supply a specially crafted archive to a server or client component that accepts and extracts native libraries from external sources. Once the archive is processed, the attacker’s payload is written to a temporary directory and can be executed by the hosting application or system services with the privileges of the SzafirHost process.

The affected product is SzafirHost from Krajowa Izba Rozliczeniowa. Versions earlier than 1.2.2 are vulnerable; the remediation notes that the issue was fixed in version 1.2.2, so all releases prior to that are impacted.

The vulnerability carries a CVSS score of 8.6, indicating high severity. No EPSS score is available, so the current probability of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting it may not yet have known exploitation in the wild. The attack vector, inferred from the description, requires an attacker to supply a crafted archive to the system; if the application accepts user‑supplied archives from networks or local input, exploitation is possible. Adequate safeguards such as authenticating archives or restricting accepted file types could mitigate the risk. The potential impact is full remote code execution, granting the attacker complete control over the affected host.