changedetection.io Zip Slip Vulnerability in Backup Restore Functionality Allowing Arbitrary File Overwrite

A Zip Slip vulnerability has been identified in changedetection.io versions prior to 0.54.4. This vulnerability allows arbitrary file overwrites through path traversal in uploaded ZIP archives, exploiting the backup restore functionality. The issue arises because the application uses zipfile.extractall() without proper path validation, enabling malicious ZIP files to extract entries outside the intended directory, potentially overwriting sensitive files such as the Flask secret key or application settings.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive application files, including the Flask secret key, which could be used for session forgery and authentication bypass. Additionally, overwriting application settings could disable password protections or inject backdoors.

Reproduction

To reproduce this vulnerability, upload a ZIP file containing path traversal entries that escape the extraction directory. The application will extract the files without validation, allowing the attacker-controlled content to overwrite sensitive files.

Remediation

Users can update to changedetection.io version 0.54.4 or later, where this vulnerability has been patched.