Ackites KillWxapkg wxapkg File Parser unpack.go processFile os command injection
Description
A critical OS command injection vulnerability in KillWxapkg up to 2.4.1 allows remote attackers to execute arbitrary commands via a crafted wxapkg file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical OS command injection vulnerability in KillWxapkg up to 2.4.1 allows remote attackers to execute arbitrary commands via a crafted wxapkg file.
Vulnerability
Description The vulnerability is located in the processFile function within internal/unpack/unpack.go of the Ackites KillWxapkg tool (versions up to 2.4.1). The software, which is used for automated decompilation and security assessment of WeChat Mini Programs, improperly validates input during wxapkg file parsing. This lack of sanitization leads to OS command injection, meaning an attacker can inject arbitrary operating system commands that are executed in the context of the user running the tool [1][3].
Exploitation
Analysis An attacker can exploit this vulnerability remotely by providing a maliciously crafted wxapkg file to the victim. The attack complexity is rated as high, and exploitation is considered difficult, likely due to the need for a specifically crafted payload that bypasses any rudimentary checks. The official issue report demonstrates a proof-of-concept that includes arbitrary file write via path traversal (e.g., writing files outside the intended extraction directory) which can be leveraged to achieve command execution [2][3]. The attack does not require authentication beyond the victim opening the malicious file with KillWxapkg.
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands on the target system. This can lead to complete compromise of the affected machine, including data theft, installation of malware, or further lateral movement within a network. Since KillWxapkg is often used in security assessments and development environments, the impact is heightened in those contexts [2][3].
Mitigation
Status As of the publication date, the version 2.4.1 remains unpatched. No official fix or workaround has been released by the vendor. Users are advised to consider temporarily suspending use of the tool, or to exercise extreme caution by not opening untrusted wxapkg files. The exploit code has been publicly disclosed, increasing the risk of active exploitation [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/Ackites/KillWxapkgGo | <= 1.1.0 | — |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/ackites/killwxapkgpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
<= 1.1.0+ 1 more
- (no CPE)range: <= 1.1.0
- (no CPE)range: < 0.0.20250730T213748-1.1
- Range: 2.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing path sanitization in the wxapkg file extraction logic allows directory traversal via crafted filenames."
Attack vector
An attacker crafts a malicious wxapkg file containing a filename with path traversal sequences (e.g., `../../../../../../../../Users/whoami/Desktop/zznq.txt`) [ref_id=2][ref_id=3]. When the victim uses KillWxapkg to parse and extract this file, the `processFile` function writes the file content to an arbitrary location on the host file system [CWE-77][CWE-78]. Under certain conditions, this arbitrary file write can be escalated to remote command execution. The attack requires the victim to process a malicious wxapkg, and the complexity is considered high [ref_id=1].
Affected code
The vulnerability resides in the `processFile` function within `internal/unpack/unpack.go` of the KillWxapkg tool (up to version 2.4.1). The wxapkg file parsing and extraction logic does not sanitize file paths embedded in the package, as noted by the recommendation pointing to `unpack.go#L179` [ref_id=2][ref_id=3].
What the fix does
No patch is provided in the bundle. The advisory recommends implementing strict path sanitization when extracting wxapkg files, specifically at `unpack.go#L179` [ref_id=2][ref_id=3]. A proper fix would validate that extracted file paths do not contain directory traversal sequences (e.g., `../`) and ensure all output paths remain within the intended extraction directory.
Preconditions
- inputVictim must use KillWxapkg (up to v2.4.1) to parse a malicious wxapkg file
- inputAttacker must craft a wxapkg file with path traversal sequences in filenames
Reproduction
1. Create a malicious wxapkg file using the Go test code provided in the PoC, which embeds a filename with path traversal (e.g., `../../../../../../../../Users/whoami/Desktop/zznq.txt`) and arbitrary content [ref_id=2][ref_id=3]. 2. Run KillWxapkg against this crafted file (e.g., `KillWxapkg malicious.wxapkg`). 3. Observe that the file is written to the attacker-specified path outside the intended extraction directory, demonstrating arbitrary file write.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/Ackites/KillWxapkg/issues/85mitreexploitissue-tracking
- github.com/advisories/GHSA-w6p4-84vc-qc2wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-5030ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- github.com/Ackites/KillWxapkg/issues/85ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.