CVE-2026-52755
Description
Ghidra versions prior to 12.0.4 are vulnerable to path traversal in theme import, allowing arbitrary file writes and code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ghidra versions prior to 12.0.4 are vulnerable to path traversal in theme import, allowing arbitrary file writes and code execution.
Vulnerability
Ghidra versions before 12.0.4 contain a path traversal vulnerability within the theme import functionality. This vulnerability exists because the code extracts files from imported ZIP archives without validating the entry names. Specifically, in Ghidra/Framework/Docking/src/main/java/docking/theme/gui/ThemeUtils.java, ZIP entry names are used directly to construct file paths, allowing for traversal sequences like ../ in filenames to write files outside the intended theme directory [1, 2].
Exploitation
An attacker can craft a malicious theme ZIP file containing traversal sequences in filenames. A user must then import this malicious ZIP file through the Edit → Theme → Import menu in Ghidra. For example, a ZIP entry named images/../../../../payload.sh would be written outside the theme folder. Running the extracted script, such as bash ~/payload.sh, demonstrates arbitrary code execution [1].
Impact
Successful exploitation allows an attacker to write arbitrary files to any location on the filesystem where the Ghidra user has write access. This can include sensitive files like .bashrc, .profile, or .ssh/authorized_keys. Modifying these files can lead to automatic execution of code on the next terminal session or grant unauthorized remote access without requiring further user interaction [1, 2].
Mitigation
Ghidra version 12.0.4 and later include a fix that validates that extracted file paths remain within the target directory before writing, using a pattern similar to FileUtilities.isPathContainedWithin() [1]. No workarounds are disclosed in the available references. The vulnerability is listed under CWE-22 [2].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <12.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The theme import functionality extracts ZIP archive entries without validating filenames, allowing path traversal."
Attack vector
An attacker crafts a malicious ZIP file containing traversal sequences (e.g., `../../`) within filenames. When a user imports this ZIP file through Ghidra's theme import feature (Edit → Theme → Import), the application extracts these files. The lack of validation allows these specially crafted filenames to write files outside the intended theme directory, potentially overwriting sensitive files or executing arbitrary code [ref_id=1].
Affected code
The vulnerability resides in the theme import and extraction logic within `Ghidra/Framework/Docking/src/main/java/docking/theme/gui/ThemeUtils.java`. Specifically, ZIP entry names are used directly to construct file paths without proper checks for path traversal sequences [ref_id=1].
What the fix does
The patch introduces validation to ensure that extracted file paths remain within the target directory. It uses a `FileUtilities.isPathContainedWithin()` check before extraction, similar to a previous fix for CVE-2019-13623. This prevents malicious ZIP entries with path traversal sequences from writing files outside the designated theme folder [ref_id=1].
Preconditions
- inputThe attacker must provide a specially crafted ZIP file with traversal sequences in filenames.
- inputThe user must import the malicious theme ZIP file into Ghidra.
Reproduction
Created a malicious theme ZIP containing:
ThemeZip/Theme.theme (valid theme metadata) ThemeZip/images/icon.png (valid theme icon) images/../../../../payload.sh (payload with path traversal)
Steps to reproduce:
Open Ghidra Edit → Theme → Import Select the malicious theme ZIP Result: payload.sh is written to the user's home directory
Running bash ~/payload.sh opens the Calculator, demonstrating arbitrary code execution potential. [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
1- National Security Agency's Ghidra: 15 Vulnerabilities Disclosed on June 10, 2026Vypr Intelligence · Jun 10, 2026