CVE-2026-22685 Overview
CVE-2026-22685 is a path traversal vulnerability in the DevToys desktop application that affects the extension installation mechanism. DevToys, a popular utility application for developers, fails to properly validate file paths contained within NUPKG extension packages during the extraction process. This allows malicious extension packages containing crafted file entries with sequences like ../../…/target-file to write files outside the intended extensions directory, potentially overwriting arbitrary files on the user's system.
Critical Impact
Successful exploitation enables attackers to overwrite arbitrary files on the victim's system with the privileges of the DevToys process, potentially leading to code execution, configuration tampering, or corruption of application or system files.
Affected Products
- DevToys versions 2.0.0.0 to before 2.0.9.0
Discovery Timeline
- 2026-01-10 - CVE-2026-22685 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22685
Vulnerability Analysis
This vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) occurs within DevToys' extension installation workflow. When a user installs an extension package (NUPKG archive), the application extracts the archive contents without properly sanitizing the file paths embedded within the package. The extraction routine trusts the path information provided in the archive, allowing an attacker to craft malicious entries that traverse outside the designated extensions directory.
The impact of this vulnerability depends on the user's environment and the files targeted for overwrite. An attacker could potentially replace executable files, configuration files, or system libraries with malicious versions. On Windows systems where DevToys typically runs, this could lead to persistence mechanisms, privilege escalation if combined with other vulnerabilities, or complete compromise of developer workstations.
Root Cause
The root cause lies in insufficient input validation of file path entries during NUPKG archive extraction. The DevToys extensions manager did not properly sanitize or validate path components before writing extracted files to disk. Path traversal sequences such as ../ were not stripped or blocked, allowing the extraction process to resolve paths outside the intended target directory.
Attack Vector
The attack vector requires user interaction—specifically, a user must download and install a malicious extension package. An attacker could distribute such packages through social engineering, typosquatting on package repositories, or by compromising legitimate extension distribution channels. Once the victim attempts to install the crafted extension, the extraction process writes malicious files to attacker-controlled locations on the file system.
The following patch demonstrates the security fix applied to address this vulnerability:
[Oo]bj/
# [Oo]ut/
[Ll]og/
-[Ll]ogs/
\ No newline at end of file
+[Ll]ogs/
+
+# TestData
+!**/**/TestData/**
\ No newline at end of file
Source: GitHub Commit Update
The fix includes updates to the extensions manager to properly handle CWE-22 (Path Traversal) and CWE-23 (Relative Path Traversal) vulnerabilities, along with dependency updates:
<PackageVersion Include="NuGet.Packaging" Version="6.9.1" />
<PackageVersion Include="Nuke.Common" Version="8.0.0" />
<PackageVersion Include="OneOf" Version="3.0.271" />
- <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.5" />
+ <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.12" />
<PackageVersion Include="System.Text.Json" Version="8.0.5" />
<PackageVersion Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
<PackageVersion Include="System.ComponentModel.Composition" Version="$(DotNetVersion)" />
Source: GitHub Commit Update
Detection Methods for CVE-2026-22685
Indicators of Compromise
- Unexpected files appearing outside the DevToys extensions directory (typically %APPDATA%\DevToys\Extensions\ or similar)
- File system events showing DevToys.exe writing to unusual directories during extension installation
- Modified or corrupted system files with timestamps correlating to extension installation activities
- Suspicious NUPKG files containing entries with ../ path traversal sequences
Detection Strategies
- Monitor file system activity during DevToys extension installations for writes outside the expected extensions directory
- Implement file integrity monitoring (FIM) on critical system and application directories to detect unauthorized modifications
- Analyze NUPKG packages before installation using archive inspection tools to identify path traversal patterns
- Review DevToys application logs for unusual extraction paths or error messages related to file operations
Monitoring Recommendations
- Enable process monitoring to track file operations performed by the DevToys process
- Configure endpoint detection tools to alert on path traversal patterns (e.g., ../) in file paths accessed by desktop applications
- Implement application whitelisting policies that detect unexpected file modifications by developer tools
- Monitor for new or modified files in sensitive directories that correlate with DevToys execution
How to Mitigate CVE-2026-22685
Immediate Actions Required
- Update DevToys to version 2.0.9.0 or later immediately
- Audit recently installed extensions and verify their source authenticity
- Review file system changes on systems where untrusted extensions may have been installed
- Only install extensions from trusted, verified sources
Patch Information
The vulnerability has been patched in DevToys version 2.0.9.0. The fix implements proper path validation during NUPKG extraction to prevent path traversal attacks. Technical details of the patch are available in the GitHub Pull Request #1643 and the GitHub Security Advisory.
Workarounds
- Avoid installing any extensions from untrusted or unverified sources until the update is applied
- Manually inspect NUPKG files for suspicious path entries before installation using archive tools
- Run DevToys with minimal privileges to limit the impact of potential file overwrites
- Consider temporarily disabling extension installation functionality if updates cannot be immediately applied
# Verify DevToys version on Windows (PowerShell)
Get-ItemProperty "HKCU:\Software\DevToys" | Select-Object Version
# Or check the installed application version directly
# Ensure version is 2.0.9.0 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
