A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories by supplying a crafted import. Key detail from vendor description: "A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import." This flaw permits an attacker to place potentially malicious files in sensitive locations on the host system, which could be used in a broader attack chain. The primary impact is the capability to write arbitrary files; it does not itself grant immediate code execution, but it enables further exploitation steps if the placed files are executed by an application with higher privileges.

The affected product is the open‑source CTFd platform. Versions v3.8.1-18-gdb5a18c4 and all releases before the patch issued in CTFd v3.8.2 are vulnerable. No specific vendor is listed, but the platform is maintained by the CTFd community and its code is available on GitHub.

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at the time of disclosure. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web interface’s Admin import feature, which requires legitimate administrative access. Based on the description, it is inferred that an attacker would need to compromise an administrator's credentials or otherwise gain access to the import endpoint to exploit the flaw. If such access is obtained, the ability to write arbitrary files could be leveraged for additional attacks such as privilege escalation or remote code execution when the files are later executed in a trusted context.