ZeroPath at Black Hat USA 2026

Brief Summary: Ghidra Extension Installer Zip Slip Vulnerability (CVE-2026-52752)

A short review of CVE-2026-52752, a high severity Zip Slip path traversal vulnerability in Ghidra's extension installer that enables arbitrary file writes and code execution through crafted ZIP archives.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-10

Brief Summary: Ghidra Extension Installer Zip Slip Vulnerability (CVE-2026-52752)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A path traversal vulnerability in Ghidra's extension installer allows attackers to write arbitrary files to a victim's filesystem simply by convincing them to install a crafted extension ZIP, turning a trusted reverse engineering tool into a potential attack vector against the very analysts who depend on it. The flaw, tracked as CVE-2026-52752, affects all Ghidra versions before 12.0.2 and carries a CVSS v3.1 score of 8.8 according to the GitHub Security Advisory.

Ghidra is a software reverse engineering framework developed by the NSA and released as open source software. With approximately 61,000 GitHub stars and widespread adoption across government agencies, security research firms, and academic institutions, it stands as one of the most popular free alternatives to commercial disassemblers like IDA Pro. Its extension system, which is the component affected by this vulnerability, is a core part of the platform's extensibility and community ecosystem.

Technical Information

CVE-2026-52752 is a classic "Zip Slip" vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The vulnerable code is located in Ghidra/Framework/Generic/src/main/java/ghidra/util/extensions/ExtensionUtils.java at approximately line 579. The root cause is straightforward: entry.getName() from ZIP archive entries is used directly to construct the target file path during extraction without any validation for directory traversal sequences.

When a ZIP archive entry contains a filename with ../ sequences, the resolved destination path escapes the intended extension installation directory, and the extracted file is written to an arbitrary location on the filesystem.

CVSS Scoring

Scoring SystemScoreSource
CVSS v3.18.8 (High)GHSA-jhc2-q7qf-9c25
CVSS v4.08.4 (High)VulnCheck Advisory
NVD7.8NVD (not yet enriched)

The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a network accessible, low complexity attack requiring user interaction, with high impact across confidentiality, integrity, and availability. The CVSS v4.0 vector uses a local attack vector with active user interaction required, also resulting in high impact across all three dimensions.

Attack Flow

The exploitation chain proceeds through the following steps:

  1. Craft a malicious extension ZIP: The attacker creates a ZIP file containing a valid Ghidra extension structure (including the required extension.properties metadata file) alongside one or more entries with path traversal sequences in their filenames. For example, an entry named TestExtension/../../../../../EXPLOIT.sh would resolve to the user's home directory rather than the extensions folder.

  2. Distribute the malicious extension: The attacker delivers the ZIP to a target user via social engineering, a compromised extension repository, or a watering hole attack targeting the reverse engineering community.

  3. User installs the extension: The victim installs the extension using the standard Ghidra workflow: File, then Install Extensions, then selecting the malicious ZIP file.

  4. Arbitrary file write occurs: During extraction, the traversal sequences in the ZIP entry names cause files to be written outside the intended installation directory. Because entry.getName() is used without path validation, the ../ sequences are resolved by the filesystem, placing the attacker's payload at an arbitrary location.

  5. Code execution: By overwriting shell configuration files such as .bashrc or .profile, the attacker achieves arbitrary code execution the next time the user opens a terminal session.

Proof of Concept Structure

The documented proof of concept ZIP referenced in the GitHub Security Advisory contains:

  • TestExtension/ (directory)
  • extension.properties (valid metadata file required by Ghidra)
  • TestExtension/../../../../../EXPLOIT.sh (payload file with traversal path)

The PoC demonstrates code execution by overwriting a user's shell configuration to launch a calculator application, serving as a benign demonstration of the arbitrary code execution capability.

Connection to CVE-2019-13623

This vulnerability is a recurrence of the same CWE-22 class that affected Ghidra before version 9.1. CVE-2019-13623 was a path traversal vulnerability in RestoreTask.java (package ghidra.app.plugin.core.archive). That earlier flaw was fixed using the FileUtilities.isPathContainedWithin() validation pattern in JarDecompiler.java. However, this same validation was never applied to the extension installer code path in ExtensionUtils.java, allowing the identical class of vulnerability to resurface approximately seven years later.

The fix for CVE-2026-52752 applies the same FileUtilities.isPathContainedWithin() check before extraction, ensuring the resolved destination path remains within the target extension directory. This raises a natural question: are there other archive extraction code paths in Ghidra that still lack this validation?

Affected Systems and Versions

All versions of Ghidra before 12.0.2 are affected. The vulnerability exists in the extension installer component, specifically in ExtensionUtils.java. Any Ghidra installation where users install extensions via the standard File menu workflow is vulnerable.

The fix is available in Ghidra 12.0.2 and later.

Vendor Security History

The NSA's security track record with Ghidra reveals a pattern of path traversal and archive handling vulnerabilities:

CVEDescriptionAffected VersionCWESeverity
CVE-2019-13623Path traversal in RestoreTask.java via archive with traversal sequencesBefore 9.1CWE-22Medium
CVE-2019-13625XXE when a project is opened, restored, or a tool is importedBefore 9.0.1CWE-611Medium
CVE-2026-52752Zip Slip path traversal in extension installer via ZIP entry namesBefore 12.0.2CWE-22High

The recurrence of CWE-22 across two distinct code paths over a span of approximately seven years indicates a systemic gap in applying secure archive extraction patterns consistently across the Ghidra codebase. The fix for CVE-2019-13623 was applied locally in JarDecompiler.java but was not propagated to the extension installer, a pattern that suggests the project would benefit from a codebase wide audit of all archive extraction routines.

The advisory for CVE-2026-52752 was published on February 2, 2026 by emteere, with discovery credited to researchers @PrasanthSundararajan69 and Finder16. External security researchers have contributed to Ghidra's security posture previously; Oceanit's Software and Cybersecurity team found and fixed a separate vulnerability through responsible disclosure with the NSA.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization