Arbitrary File Write via Archive Extraction (Zip Slip)

Vulnerability

All versions of the calipso Node.js CMS (up to and including the latest) are vulnerable to an arbitrary file write via archive extraction (Zip Slip) during the module install functionality. The calipso modules download command extracts a downloaded archive without validating file paths, allowing a malicious module to write files outside the intended installation directory. [1][3]

Exploitation

An attacker can host a crafted ZIP archive containing files with path traversal sequences (e.g., ../../../../../../../../tmp/foo.txt). The victim must run calipso modules download pointing to the malicious archive. No authentication is required beyond the ability to trigger the download command. The PoC from Snyk demonstrates extraction of files to arbitrary locations on the filesystem. [3]

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system, potentially leading to remote code execution (e.g., overwriting application files or system scripts) or denial of service. The attacker gains the ability to write files with the privileges of the calipso process. [3]

Mitigation

As of the publication date (June 2021), there is no fixed version for calipso. The project appears to be unmaintained; users should consider migrating to an alternative CMS or implementing strict controls on module downloads. No workaround is provided in the references. [2][3]