Description
DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../…/target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user’s system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0.
Published: 2026-01-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Overwrite with Potential for Code Execution
Action: Apply Patch
AI Analysis

Impact

DevToys, a desktop application for developers, has a path traversal flaw in its extension installation mechanism that allows the extraction of files outside the intended extensions directory. An attacker can craft a NUPKG archive containing paths such as ../../…/target-file; the program then writes these files using the privileges of the DevToys process. The vulnerability is identified as CWE-22 and can lead to a local overwrite of arbitrary files, potentially enabling code execution, configuration tampering, or system corruption if critical files are affected.

Affected Systems

The flaw affects DevToys v2.0.0.0 through v2.0.8.0. Versions 2.0.9.0 and later contain a patch that validates paths during extraction and mitigates the issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. Its EPSS score is listed as <1%, reflecting a low probability of exploitation, yet it remains possible. It is not yet included in the CISA KEV catalog. The likely attack vector is a malicious extension package that a user explicitly installs or that is supplied through an untrusted source. An attacker who can deliver such a package has the opportunity to overwrite system or application files with the privileges of the DevToys process, which may lead to further compromise of the user machine.

Generated by OpenCVE AI on April 18, 2026 at 07:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DevToys to version 2.0.9.0 or later, which includes a fix that validates file paths during extraction
  • Uninstall any extensions that were installed before the patch and reinstall them from trusted, verified sources
  • Configure or restrict the extension installation process to prevent untrusted packages from being installed, and monitor the extensions directory for unauthorized modifications

Generated by OpenCVE AI on April 18, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Devtoys
Devtoys devtoys
CPEs cpe:2.3:a:devtoys:devtoys:*:*:*:*:*:*:*:*
Vendors & Products Devtoys
Devtoys devtoys

Mon, 12 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Devtoys-app
Devtoys-app devtoys
Vendors & Products Devtoys-app
Devtoys-app devtoys

Sat, 10 Jan 2026 06:00:00 +0000

Type Values Removed Values Added
Description DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../…/target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user’s system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0.
Title DevToys Path Traversal (“Zip Slip”) Vulnerability in DevToys Extension Installation
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Devtoys Devtoys
Devtoys-app Devtoys
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T14:39:28.330Z

Reserved: 2026-01-08T19:23:09.853Z

Link: CVE-2026-22685

cve-icon Vulnrichment

Updated: 2026-01-12T14:39:25.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T06:15:51.743

Modified: 2026-03-12T19:20:51.123

Link: CVE-2026-22685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses