CVE-2026-30345 in CTFd
Summary
by MITRE • 03/18/2026
A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The zip slip vulnerability identified in CTFd version 3.8.1-18-gdb5a18c4 represents a critical directory traversal flaw that specifically targets the administrative import functionality of this capture the flag platform. This vulnerability allows malicious actors to exploit the archive extraction process by crafting specially formatted import files that contain malicious path references. The flaw occurs when the application fails to properly sanitize file paths during decompression operations, enabling attackers to write files to arbitrary locations on the server filesystem outside of the intended target directories. The vulnerability is particularly dangerous because it affects the administrative interface, which typically operates with elevated privileges and can potentially compromise the entire system.
The technical implementation of this vulnerability stems from improper handling of archive entries during the extraction process. When CTFd processes imported zip files through its admin import functionality, it does not adequately validate or canonicalize file paths contained within the archive. This allows attackers to include path traversal sequences such as ../ or ..\ in the filenames stored within the zip archive. According to the CWE classification system, this corresponds to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The vulnerability exists at the intersection of archive processing and file system access controls, where the application's failure to properly resolve and validate paths creates an exploitable condition.
The operational impact of this vulnerability extends beyond simple file system compromise, as it can enable attackers to escalate privileges and potentially achieve complete system compromise. An attacker who successfully exploits this vulnerability could overwrite critical system files, inject malicious code into the application, or establish persistence mechanisms within the target environment. The attack surface is particularly concerning given that CTFd is often deployed in environments where it may be exposed to untrusted users or where administrative access is required for legitimate operations. The vulnerability can be leveraged to achieve remote code execution, data exfiltration, or denial of service conditions depending on the specific permissions and configuration of the target system. This aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as attackers could potentially use this vulnerability to execute arbitrary commands through file injection.
Mitigation strategies for this vulnerability should focus on implementing robust path validation and canonicalization mechanisms within the archive extraction process. Organizations should immediately upgrade to patched versions of CTFd where available, as the vulnerability is likely to be addressed through proper path sanitization and validation. The recommended approach involves ensuring that all extracted file paths are resolved to their canonical form and validated against a whitelist of acceptable directories. Additionally, implementing proper file system access controls and privilege separation can limit the potential damage from successful exploitation attempts. Security teams should also monitor for suspicious import activities and implement network-based detection measures to identify potential exploitation attempts. The vulnerability highlights the importance of secure coding practices in archive handling operations and serves as a reminder of the critical need for input validation and proper security controls in web applications that process user-supplied data.