Introduction
A path traversal vulnerability in Ghidra's extension installer allows attackers to write arbitrary files to a victim's filesystem simply by convincing them to install a crafted extension ZIP, turning a trusted reverse engineering tool into a potential attack vector against the very analysts who depend on it. The flaw, tracked as CVE-2026-52752, affects all Ghidra versions before 12.0.2 and carries a CVSS v3.1 score of 8.8 according to the GitHub Security Advisory.
Ghidra is a software reverse engineering framework developed by the NSA and released as open source software. With approximately 61,000 GitHub stars and widespread adoption across government agencies, security research firms, and academic institutions, it stands as one of the most popular free alternatives to commercial disassemblers like IDA Pro. Its extension system, which is the component affected by this vulnerability, is a core part of the platform's extensibility and community ecosystem.
Technical Information
CVE-2026-52752 is a classic "Zip Slip" vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The vulnerable code is located in Ghidra/Framework/Generic/src/main/java/ghidra/util/extensions/ExtensionUtils.java at approximately line 579. The root cause is straightforward: entry.getName() from ZIP archive entries is used directly to construct the target file path during extraction without any validation for directory traversal sequences.
When a ZIP archive entry contains a filename with ../ sequences, the resolved destination path escapes the intended extension installation directory, and the extracted file is written to an arbitrary location on the filesystem.
CVSS Scoring
| Scoring System | Score | Source |
|---|---|---|
| CVSS v3.1 | 8.8 (High) | GHSA-jhc2-q7qf-9c25 |
| CVSS v4.0 | 8.4 (High) | VulnCheck Advisory |
| NVD | 7.8 | NVD (not yet enriched) |
The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a network accessible, low complexity attack requiring user interaction, with high impact across confidentiality, integrity, and availability. The CVSS v4.0 vector uses a local attack vector with active user interaction required, also resulting in high impact across all three dimensions.
Attack Flow
The exploitation chain proceeds through the following steps:
-
Craft a malicious extension ZIP: The attacker creates a ZIP file containing a valid Ghidra extension structure (including the required
extension.propertiesmetadata file) alongside one or more entries with path traversal sequences in their filenames. For example, an entry namedTestExtension/../../../../../EXPLOIT.shwould resolve to the user's home directory rather than the extensions folder. -
Distribute the malicious extension: The attacker delivers the ZIP to a target user via social engineering, a compromised extension repository, or a watering hole attack targeting the reverse engineering community.
-
User installs the extension: The victim installs the extension using the standard Ghidra workflow: File, then Install Extensions, then selecting the malicious ZIP file.
-
Arbitrary file write occurs: During extraction, the traversal sequences in the ZIP entry names cause files to be written outside the intended installation directory. Because
entry.getName()is used without path validation, the../sequences are resolved by the filesystem, placing the attacker's payload at an arbitrary location. -
Code execution: By overwriting shell configuration files such as
.bashrcor.profile, the attacker achieves arbitrary code execution the next time the user opens a terminal session.
Proof of Concept Structure
The documented proof of concept ZIP referenced in the GitHub Security Advisory contains:
TestExtension/(directory)extension.properties(valid metadata file required by Ghidra)TestExtension/../../../../../EXPLOIT.sh(payload file with traversal path)
The PoC demonstrates code execution by overwriting a user's shell configuration to launch a calculator application, serving as a benign demonstration of the arbitrary code execution capability.
Connection to CVE-2019-13623
This vulnerability is a recurrence of the same CWE-22 class that affected Ghidra before version 9.1. CVE-2019-13623 was a path traversal vulnerability in RestoreTask.java (package ghidra.app.plugin.core.archive). That earlier flaw was fixed using the FileUtilities.isPathContainedWithin() validation pattern in JarDecompiler.java. However, this same validation was never applied to the extension installer code path in ExtensionUtils.java, allowing the identical class of vulnerability to resurface approximately seven years later.
The fix for CVE-2026-52752 applies the same FileUtilities.isPathContainedWithin() check before extraction, ensuring the resolved destination path remains within the target extension directory. This raises a natural question: are there other archive extraction code paths in Ghidra that still lack this validation?
Affected Systems and Versions
All versions of Ghidra before 12.0.2 are affected. The vulnerability exists in the extension installer component, specifically in ExtensionUtils.java. Any Ghidra installation where users install extensions via the standard File menu workflow is vulnerable.
The fix is available in Ghidra 12.0.2 and later.
Vendor Security History
The NSA's security track record with Ghidra reveals a pattern of path traversal and archive handling vulnerabilities:
| CVE | Description | Affected Version | CWE | Severity |
|---|---|---|---|---|
| CVE-2019-13623 | Path traversal in RestoreTask.java via archive with traversal sequences | Before 9.1 | CWE-22 | Medium |
| CVE-2019-13625 | XXE when a project is opened, restored, or a tool is imported | Before 9.0.1 | CWE-611 | Medium |
| CVE-2026-52752 | Zip Slip path traversal in extension installer via ZIP entry names | Before 12.0.2 | CWE-22 | High |
The recurrence of CWE-22 across two distinct code paths over a span of approximately seven years indicates a systemic gap in applying secure archive extraction patterns consistently across the Ghidra codebase. The fix for CVE-2019-13623 was applied locally in JarDecompiler.java but was not propagated to the extension installer, a pattern that suggests the project would benefit from a codebase wide audit of all archive extraction routines.
The advisory for CVE-2026-52752 was published on February 2, 2026 by emteere, with discovery credited to researchers @PrasanthSundararajan69 and Finder16. External security researchers have contributed to Ghidra's security posture previously; Oceanit's Software and Cybersecurity team found and fixed a separate vulnerability through responsible disclosure with the NSA.
References
- NVD: CVE-2026-52752
- GitHub Security Advisory: Zip Slip Path Traversal in Ghidra Extension Installer (GHSA-jhc2-q7qf-9c25)
- VulnCheck Advisory: Ghidra Path Traversal in Extension Installer via ZIP Entry Names
- NVD: CVE-2019-13623 (Prior Ghidra Path Traversal)
- NVD: CVE-2019-13625 (Prior Ghidra XXE)
- Ghidra GitHub Repository
- NSA Ghidra Official Page
- Android Developer Documentation: Zip Path Traversal
- Ghidra Vulnerability History (CIRCL)
- Oceanit: Fixing Vulnerability in NSA Cybersecurity Tool
- Ghidra Extension Installation Documentation



