Zoraxy is a general-purpose HTTP reverse proxy and forwarding tool used to manage and route HTTP traffic. Versions prior to 3.3.2 contain a path traversal vulnerability (CWE-22) in the configuration import endpoint. This vulnerability allows an authenticated user to bypass directory restrictions and write files outside the designated configuration directory. By exploiting this, an attacker can place arbitrary files, including malicious plugins, which can lead to remote code execution (RCE) on the host system. The vulnerability requires the attacker to have valid authentication credentials, and the attack complexity is high, as it involves precise manipulation of file paths and knowledge of the system. The CVSS v3.1 base score is 3.3, reflecting low confidentiality and integrity impact and no impact on availability. The vulnerability was publicly disclosed on March 26, 2026, and fixed in zoraxy version 3.3.2. No known active exploits have been reported, but the potential for RCE elevates the risk if exploited. The flaw stems from improper validation and limitation of pathname inputs, allowing directory traversal beyond the intended config directory.

If exploited, this vulnerability can allow an authenticated attacker to write arbitrary files to the system, potentially leading to remote code execution by deploying malicious plugins. This compromises the integrity and confidentiality of the affected system and could allow attackers to gain persistent control or disrupt proxy operations. Although the vulnerability requires authentication and has high attack complexity, organizations using zoraxy as a critical component in their infrastructure could face significant risks, including unauthorized access, data breaches, and service manipulation. The absence of known exploits reduces immediate risk, but the potential impact on systems handling sensitive traffic or acting as security gateways is considerable.

Organizations should upgrade zoraxy to version 3.3.2 or later immediately to apply the official patch. Until upgraded, restrict access to the configuration import endpoint to trusted administrators only and monitor authentication logs for suspicious activity. Implement strict access controls and network segmentation to limit exposure of the zoraxy management interface. Employ application-layer firewalls or reverse proxies to filter and validate incoming requests to the configuration endpoints. Conduct regular audits of configuration files and plugin directories to detect unauthorized changes. Additionally, enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of credential compromise. Finally, maintain an incident response plan to quickly address any signs of exploitation.