CVE-2026-22685
Published: 10 January 2026
Summary
CVE-2026-22685 is a high-severity Path Traversal (CWE-22) vulnerability in Devtoys Devtoys. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal by validating file paths in NUPKG archives before extraction to ensure they stay within the intended directory.
Enforces access controls to restrict DevToys process writes to authorized directories only, blocking overwrites outside the extensions folder.
Mitigates exploitation by scanning and restricting installation of untrusted user extensions, reducing exposure to malicious NUPKG packages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal during NUPKG extraction enables delivery of malicious file (T1204.002) that overwrites arbitrary files, directly facilitating execution flow hijacking (T1574) for code execution or persistence.
NVD Description
DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within…
more
the archive. A malicious extension package could include crafted file entries such as ../../…/target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user’s system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0.
Deeper analysisAI
CVE-2026-22685 is a path traversal vulnerability (CWE-22) in DevToys, a desktop application for developers. The flaw affects versions from 2.0.0.0 up to but not including 2.0.9.0, specifically in the extension installation mechanism. When processing NUPKG archive packages for extensions, DevToys does not adequately validate file paths within the archive. This allows malicious packages to include crafted entries, such as ../../…/target-file, enabling the extraction process to write files outside the intended extensions directory and overwrite arbitrary files on the user's system under the privileges of the DevToys process.
An attacker can exploit this vulnerability by providing a malicious NUPKG extension package, which requires no privileges (PR:N) and is accessible over the network (AV:N), but demands user interaction (UI:R) to install. Successful exploitation allows overwriting of arbitrary files, potentially leading to code execution, configuration tampering, or corruption of application or system files, depending on the environment. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts.
The issue has been addressed in DevToys version 2.0.9.0. Mitigation details are available in the GitHub security advisory (GHSA-ggxr-h6fm-p2qh), the fixing pull request (#1643), and the patch commit (02fb7d46d9c663a4ee6ed968baa6a8810405047f), all at https://github.com/DevToys-app/DevToys. Security practitioners should advise users to update to 2.0.9.0 or later and avoid installing untrusted extensions.
Details
- CWE(s)