CVE-2026-33529 Overview
CVE-2026-33529 is an authenticated path traversal vulnerability (CWE-22) in Zoraxy, a general-purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, the configuration import endpoint fails to properly sanitize file paths within uploaded ZIP archives, allowing authenticated users to write arbitrary files outside the intended configuration directory. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by creating malicious plugins.
Critical Impact
Authenticated attackers can leverage this path traversal vulnerability to write arbitrary files to the server filesystem, potentially achieving remote code execution through malicious plugin creation.
Affected Products
- Zoraxy versions prior to 3.3.2
Discovery Timeline
- 2026-03-26 - CVE-2026-33529 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33529
Vulnerability Analysis
This path traversal vulnerability exists in the configuration import functionality of Zoraxy. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as "Path Traversal" or "Directory Traversal."
The core issue lies in inadequate sanitization of filenames within ZIP archives during the configuration restore process. While the original code attempted to filter out path traversal sequences by replacing ../ with an empty string, this approach was insufficient to prevent all forms of path traversal attacks, particularly the "zip-slip" technique where specially crafted ZIP archives contain files with directory traversal sequences in their names.
An authenticated attacker could craft a malicious ZIP file containing filenames with path traversal sequences that bypass the simple string replacement. When the configuration import processes this ZIP file, the attacker-controlled files would be written outside the designated conf/ directory to arbitrary locations on the filesystem. The most impactful exploitation scenario involves creating a malicious plugin, which would then be executed by Zoraxy, leading to remote code execution.
Root Cause
The vulnerability stems from inadequate path sanitization in the config.go file. The original implementation used a simple string replacement to remove ../ sequences from filenames:
zipFile.Name = strings.ReplaceAll(zipFile.Name, "../", "")
This approach is fundamentally flawed for several reasons:
- It does not account for platform-specific path separators (e.g., ..\\ on Windows)
- It does not canonicalize paths before validation
- It does not verify that the resolved absolute path remains within the target directory
Attack Vector
The attack requires network access and authenticated privileges to the Zoraxy administrative interface. An attacker would:
- Authenticate to the Zoraxy web interface
- Craft a malicious ZIP archive containing files with path traversal sequences (zip-slip)
- Upload the malicious ZIP file through the configuration import endpoint
- The server processes the ZIP and writes files to attacker-controlled locations
- If the attacker creates a malicious plugin file, it will be loaded and executed by Zoraxy
The following patch demonstrates the security fix implemented in version 3.3.2:
// Sanitize the file name to prevent path traversal (zip-slip)
cleanedName := filepath.Clean(filepath.FromSlash(zipFile.Name))
cleanedNameSlash := filepath.ToSlash(cleanedName)
fmt.Println("Restoring: " + cleanedNameSlash)
if cleanedNameSlash == "sys.db" {
//Sysdb replacement. Close the database and restore
sysdb.Close()
restoreDatabase = true
} else if !strings.HasPrefix(cleanedNameSlash, "conf/") {
//Malformed zip file.
http.Error(w, "Invalid zip file structure or version too old", http.StatusInternalServerError)
return
}
// Resolve to absolute path and verify it stays within the target directory
absTargetDir, _ := filepath.Abs(targetDir)
absFilePath, _ := filepath.Abs(cleanedName)
if cleanedNameSlash != "sys.db" && !strings.HasPrefix(absFilePath, absTargetDir+string(os.PathSeparator)) {
http.Error(w, "Invalid file path in zip", http.StatusBadRequest)
return
}
Source: GitHub Commit 69ac755
Detection Methods for CVE-2026-33529
Indicators of Compromise
- Unexpected files appearing outside the Zoraxy conf/ directory following configuration import operations
- New or modified plugin files in the Zoraxy plugins directory that were not legitimately installed
- Authentication logs showing configuration import activity followed by suspicious system behavior
- Web server logs showing POST requests to the configuration import endpoint with unusually large payloads
Detection Strategies
- Monitor filesystem changes in the Zoraxy installation directory and parent directories for unauthorized file creation
- Implement file integrity monitoring on critical directories including the plugins folder
- Review authentication and access logs for the Zoraxy administrative interface for suspicious import activity
- Deploy web application firewall rules to inspect ZIP file uploads for path traversal sequences
Monitoring Recommendations
- Enable detailed logging for all configuration import operations in Zoraxy
- Set up alerts for any file writes outside the designated configuration directory
- Monitor for new plugin registrations or unexpected plugin executions
- Implement regular security audits of the Zoraxy installation directory structure
How to Mitigate CVE-2026-33529
Immediate Actions Required
- Upgrade Zoraxy to version 3.3.2 or later immediately
- Review Zoraxy access logs for any suspicious configuration import activity
- Audit the filesystem for any unauthorized files that may have been created through exploitation
- Restrict administrative access to the Zoraxy interface to trusted users only
- Consider temporarily disabling the configuration import functionality until the patch is applied
Patch Information
The vulnerability has been patched in Zoraxy version 3.3.2. The fix implements proper path canonicalization using filepath.Clean and filepath.FromSlash, combined with absolute path resolution to verify that extracted files remain within the intended target directory.
For detailed information about the security fix, refer to:
Workarounds
- Restrict access to the Zoraxy administrative interface using network-level controls (firewall rules, VPN)
- Implement strong authentication and limit the number of users with configuration import privileges
- Deploy a web application firewall to inspect and filter malicious ZIP uploads
- Monitor and alert on any file creation events in the Zoraxy installation directory hierarchy
# Example: Restrict access to Zoraxy admin interface via iptables
# Allow only trusted IP addresses to access the admin port
iptables -A INPUT -p tcp --dport 8000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
