Description
The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write via Path Traversal
Action: Patch
AI Analysis

Impact

The vulnerability results from an unchecked Zip Slip condition when installing extensions. A malicious VSIX file can write files outside the intended extension directory, enabling the creation or overwrite of arbitrary files. This may lead to tampering of critical system files, paving the way for further compromise or denial of service. The weakness corresponds to path traversal (CWE‑22).

Affected Systems

The Code Extension Marketplace, maintained by coder, is the affected product. All releases prior to 2.4.2 are vulnerable; users and organizations deploying the marketplace should determine if they are running v2.4.1 or older and plan to upgrade. The marketplace serves as an open‑source alternative to the VS Code Marketplace and is commonly used in development environments.

Risk and Exploitability

With a CVSS score of 8.7, the vulnerability is considered high severity. No EPSS data is available, and it is not listed in CISA's KEV catalog, limiting published exploit probability details. The attack requires submission of a malicious VSIX package to the marketplace. Once the package is processed, the attacker can write or overwrite files outside the extension directory, potentially reaching privileged files and compromising the host. Consequently, the risk to systems that accept extensions from untrusted sources is significant.

Generated by OpenCVE AI on April 7, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Code Extension Marketplace to version 2.4.2 or later.
  • Verify the integrity of the installed version and confirm that no older releases remain on the system.
  • If the marketplace is publicly accessible, restrict uploads to trusted users or disable public extension publishing until the update is applied.
  • Monitor system logs for unexpected file creation or modification outside the extension directory.
  • Consider applying additional file system permissions to the extension directory to reduce the impact of any remaining path traversal attempts.

Generated by OpenCVE AI on April 7, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x9r-hvwg-c55h Code Extension Marketplace: Zip Slip Path Traversal
History

Tue, 28 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:coder:code-marketplace:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Coder
Coder code-marketplace
Vendors & Products Coder
Coder code-marketplace

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.
Title Code Extension Marketplace has a Zip Slip Path Traversal
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Coder Code-marketplace
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:08:45.865Z

Reserved: 2026-04-02T19:25:52.193Z

Link: CVE-2026-35454

cve-icon Vulnrichment

Updated: 2026-04-07T14:35:19.481Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:23.760

Modified: 2026-04-28T17:01:42.803

Link: CVE-2026-35454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:36:34Z

Weaknesses