CVE-2026-52752
Description
Ghidra before 12.0.2 has a path traversal vulnerability in its extension installer, allowing arbitrary file writes and code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ghidra before 12.0.2 has a path traversal vulnerability in its extension installer, allowing arbitrary file writes and code execution.
Vulnerability
Ghidra versions before 12.0.2 contain a path traversal vulnerability within the extension installer. This flaw occurs because the installer fails to validate ZIP entry names during the extraction process. The affected code is in Ghidra/Framework/Generic/src/main/java/ghidra/util/extensions/ExtensionUtils.java around line 579, where entry.getName() is used directly to construct the destination path without checking for path traversal sequences like ../ [1].
Exploitation
An attacker can craft a malicious extension ZIP file containing entries with path traversal sequences in their names, such as TestExtension/../../../../../EXPLOIT.sh. A user must then install this malicious extension by navigating to File -> Install Extensions -> click '+', selecting the crafted ZIP, and clicking Install Anyway when a version warning appears. This process will write the EXPLOIT.sh file to the user's home directory instead of the intended extensions folder [1].
Impact
Successful exploitation allows an attacker to write arbitrary files to any location on the filesystem where the Ghidra user has write permissions. This can lead to arbitrary code execution by overwriting critical configuration files like .bashrc or .profile, setting up cron jobs, or modifying SSH authorized keys [1].
Mitigation
Ghidra version 12.0.2 and later include a fix for this vulnerability. The recommended mitigation is to update Ghidra to version 12.0.2 or later. No workarounds are specified in the available references, and the vulnerability is listed under CWE-22 [2].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <12.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The extension installer fails to validate ZIP entry names during extraction, allowing path traversal."
Attack vector
An attacker can craft a malicious extension ZIP file containing traversal sequences like ../ in filenames [ref_id=1]. When a user installs this malicious extension through Ghidra's File -> Install Extensions menu, the application extracts the files without proper validation [ref_id=1]. This allows the attacker to write arbitrary files to any location on the filesystem that the user running Ghidra has write access to, potentially leading to code execution [ref_id=1].
Affected code
The vulnerability exists in Ghidra's extension installer, specifically in the `ExtensionUtils.java` file around line 579 [ref_id=1]. The affected code directly uses `entry.getName()` to construct the `filePath` without validating it for path traversal sequences, leading to the `destination` file potentially being outside the `installDir` [ref_id=1].
What the fix does
The fix involves ensuring that extracted ZIP entries are contained within the intended installation directory. The `FileUtilities.isPathContainedWithin()` method is used to check if the destination file path is within the specified installation directory before extraction [ref_id=1]. If an entry's path escapes the target directory, an IOException is thrown, preventing the malicious file from being written outside the intended location [ref_id=1]. This mirrors a fix used for a previous vulnerability in `JarDecompiler.java` [ref_id=1].
Preconditions
- inputThe user must install a malicious ZIP extension.
- inputThe malicious ZIP extension must contain filenames with path traversal sequences (e.g., ../).
- authThe user installing the extension must have write access to the target location where the arbitrary file is to be written.
Reproduction
1. Open Ghidra. 2. Navigate to File → Install Extensions. 3. Click the '+' button to add a new extension. 4. Select the crafted malicious ZIP file. 5. Click 'Install Anyway' when the version warning appears. Result: An arbitrary file (e.g., EXPLOIT.sh) is written to the user's home directory instead of the Extensions folder, demonstrating code execution potential [ref_id=1].
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
1- National Security Agency's Ghidra: 15 Vulnerabilities Disclosed on June 10, 2026Vypr Intelligence · Jun 10, 2026