CVE-2026-49290: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in byrongamatos slopsmith
Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` — PSARC TOC filenames; `lib/patcher.py::unpack_psarc` — duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` — bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.
AI Analysis
Technical Summary
Slopsmith, a web application for Rocksmith 2014 Custom DLC, had a path traversal vulnerability in its archive extraction components prior to version 0.2.9-alpha.5. The vulnerability stems from three archive extractors concatenating archive entry filenames directly onto the extraction root without validating for traversal sequences like '..', absolute paths, or backslashes. Specifically, the functions lib/psarc.py::unpack_psarc, lib/patcher.py::unpack_psarc, and lib/sloppak.py::_unpack_zip are affected. The use of Python's zipfile.extractall() without member filtering allows crafted archives to write files outside the extraction directory. When running Slopsmith in Docker with root privileges and the ability to drop files into the plugin directory, this can escalate to arbitrary remote code execution on the host. Version 0.2.9-alpha.5 addresses this issue by patching the extraction logic.
Potential Impact
An attacker can craft malicious PSARC or sloppak archives that exploit the path traversal vulnerability to write arbitrary files outside the intended extraction directory. In default Docker setups running as root, this can escalate to arbitrary remote code execution on the host system. This poses a high risk of system compromise if exploited.
Mitigation Recommendations
The vulnerability is fixed in Slopsmith version 0.2.9-alpha.5. Users should upgrade to this version or later. Until upgrading, do not open PSARC or sloppak archives from untrusted sources and avoid exposing the Slopsmith instance to the public internet. Docker users should pull the latest Slopsmith Docker image once it is published. These steps will mitigate the risk of exploitation.
CVE-2026-49290: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in byrongamatos slopsmith
Description
Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive extractors allows an attacker to write arbitrary files outside the extraction directory by supplying a crafted PSARC or sloppak archive. With the default Docker configuration (running as root) and the ability to drop a file into the plugin directory, this escalates to arbitrary remote code execution on the host. Three archive extractors concatenated archive-entry filenames directly onto the extraction root without validation: `lib/psarc.py::unpack_psarc` — PSARC TOC filenames; `lib/patcher.py::unpack_psarc` — duplicate of the above in the patcher flow; `lib/sloppak.py::_unpack_zip` — bare `ZipFile.extractall()` with no member filter. Each accepts entry names containing `..` segments, absolute paths, or backslash separators. The Python `zipfile` module's default `extractall()` is documented as not preventing traversal when callers don't supply a member-filter callback. Version 0.2.9-alpha.5 patches the issue. Until updated, do not open PSARC or sloppak archives from untrusted sources, and do not expose the Slopsmith instance to the public internet. Docker users should also pull the latest image after the next slopsmith Docker image is published.
CVSS v4.0
Score 7.6high
Affected software
pkg:github/byrongamatos/slopsmithRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Slopsmith, a web application for Rocksmith 2014 Custom DLC, had a path traversal vulnerability in its archive extraction components prior to version 0.2.9-alpha.5. The vulnerability stems from three archive extractors concatenating archive entry filenames directly onto the extraction root without validating for traversal sequences like '..', absolute paths, or backslashes. Specifically, the functions lib/psarc.py::unpack_psarc, lib/patcher.py::unpack_psarc, and lib/sloppak.py::_unpack_zip are affected. The use of Python's zipfile.extractall() without member filtering allows crafted archives to write files outside the extraction directory. When running Slopsmith in Docker with root privileges and the ability to drop files into the plugin directory, this can escalate to arbitrary remote code execution on the host. Version 0.2.9-alpha.5 addresses this issue by patching the extraction logic.
Potential Impact
An attacker can craft malicious PSARC or sloppak archives that exploit the path traversal vulnerability to write arbitrary files outside the intended extraction directory. In default Docker setups running as root, this can escalate to arbitrary remote code execution on the host system. This poses a high risk of system compromise if exploited.
Mitigation Recommendations
The vulnerability is fixed in Slopsmith version 0.2.9-alpha.5. Users should upgrade to this version or later. Until upgrading, do not open PSARC or sloppak archives from untrusted sources and avoid exposing the Slopsmith instance to the public internet. Docker users should pull the latest Slopsmith Docker image once it is published. These steps will mitigate the risk of exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-28T20:07:58.862Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a358c5cf198dc38c1f2fbd0
Added to database: 06/19/2026, 18:37:16 UTC
Last enriched: 06/19/2026, 18:50:41 UTC
Last updated: 06/20/2026, 23:27:28 UTC
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.