Description
Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` — PSARC TOC filenames; `lib/patcher.py::unpack_psarc` — duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` — bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.
Published: 2026-06-19
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path-traversal flaw exists in Slopsmith’s archive extractors that allows an attacker to write files outside the intended extraction directory. By supplying a crafted PSARC or sloppak archive, the application blindly concatenates entry names to the target path. This flaw can lead to arbitrary file creation, including overwriting system executables. If the application is run with elevated privileges, such as the default Docker image that runs as root, the attacker can then execute code on the host system. The weakness is a classic path traversal (CWE‑22/23/36).

Affected Systems

The vulnerability affects the Slopsmith web application developed by byrongamatos. Versions prior to 0.2.9‑alpha.5 are affected. The flaw is present in the PSARC, patcher, and sloppak archive handlers. Containers using the default Docker image, which runs as root, are especially vulnerable when the Slopsmith instance is reachable.

Risk and Exploitability

The CVSS score of 7.6 classifies the issue as high severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker only needs to supply a malicious archive; no network-facing service is required beyond accessing the web interface. In a typical Docker deployment, the attacker can elevate privileges if the container runs as root and can write to the plugin directory, leading to remote code execution.

Generated by OpenCVE AI on June 19, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Slopsmith to version 0.2.9‑alpha.5 or later, which removes the unchecked archive extraction path.
  • If an upgrade is not possible, ensure that Slopsmith is isolated from public networks and does not accept archives from untrusted sources.
  • Configure Docker to run the container as a non‑root user or remove write permissions to the plugin directory to prevent exploitation by the attacker.

Generated by OpenCVE AI on June 19, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` — PSARC TOC filenames; `lib/patcher.py::unpack_psarc` — duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` — bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.
Title Slopsmith has path traversal in archive extractors that allows arbitrary file write → potential RCE
Weaknesses CWE-22
CWE-23
CWE-36
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T17:31:05.659Z

Reserved: 2026-05-28T20:07:58.862Z

Link: CVE-2026-49290

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-23

    Relative Path Traversal

  • CWE-36

    Absolute Path Traversal