Security Advisory

ZipSlip vulnerability in elfinder.NetCore

A ZipSlip vulnerability allows malicous users to place arbitrary files to arbitrary locations.

Advisory ID: MLSA-2021-003
CVE: CVE-2021-23427
Severity: high
Affected versions: all versions
Fixed versions: no fix
Discovered by: Timo Müller

Product description

elFinder.NetCore is a file manager for web.


When extracting Zip archives, the code does not sanitize the entry in the ZIP file before it is used to construct the full path. This can be abused to write arbitrary files to arbitrary locations.

Here the vulnerable code in FileSystemDriver.cs:

 1foreach (ZipArchiveEntry entry in archive.Entries)
 3    try
 4    {
 5        //Replce zip entry path separator by system path separator
 6        string file = Path.Combine(rootPath, entry.FullName)
 7             .Replace("/", separator).Replace("\\", separato
 8        if (file.EndsWith(separator)) //directory
 9        {
10            var dir = new FileSystemDirectory(fil
11            if (!await dir.ExistsAsync)

Coordinated Disclosure Timeline

  • 30/06/2021 Issue reported to Synk, which handled the vulnerability disclosure and assigned a CVE.
  • 20/08/2021 Public disclosure.