CVE-2026-22685
📋 TL;DR
A path traversal vulnerability in DevToys allows malicious extension packages to write files outside the intended directory, potentially overwriting system files. This affects users running DevToys versions 2.0.0.0 through 2.0.8.0 who install third-party extensions. Successful exploitation could lead to arbitrary code execution or system compromise.
💻 Affected Systems
- DevToys
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary file overwrite leading to code execution with DevToys process privileges, potentially enabling privilege escalation or persistence mechanisms.
Likely Case
Local file corruption or malicious extension installation leading to data loss, configuration tampering, or secondary attack vectors.
If Mitigated
Limited to DevToys application directory if proper path validation is implemented, preventing system-wide impact.
🎯 Exploit Status
Exploitation requires user interaction to install a malicious extension package. The vulnerability is straightforward to exploit once a malicious NUPKG archive is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.9.0
Vendor Advisory: https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh
Restart Required: Yes
Instructions:
1. Open DevToys application. 2. Navigate to Settings > About. 3. Check current version. 4. If below 2.0.9.0, download and install the latest version from the official GitHub releases page. 5. Restart DevToys after installation.
🔧 Temporary Workarounds
Disable Extension Installation
allPrevent installation of any new extensions until patched.
No specific commands - manually avoid installing extensions
Restrict Extension Sources
allOnly install extensions from trusted, verified sources.
No specific commands - implement policy
🧯 If You Can't Patch
- Run DevToys with minimal user privileges to limit potential damage from file overwrites.
- Implement application whitelisting to prevent execution of unauthorized binaries that could be dropped via this vulnerability.
🔍 How to Verify
Check if Vulnerable:
Check DevToys version in Settings > About. If version is between 2.0.0.0 and 2.0.8.0 inclusive, the system is vulnerable.Check Version:
On Windows: Check DevToys version in Settings > About. No CLI command available.Verify Fix Applied:
After updating, verify version is 2.0.9.0 or higher in Settings > About.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside DevToys extensions directory
- Failed path validation attempts in application logs
Network Indicators:
- Downloads of NUPKG files from untrusted sources
SIEM Query:
Process: DevToys AND (FileWrite: *\..\* OR FileWrite: C:\Windows\* OR FileWrite: /etc/* OR FileWrite: /usr/*)