CVE-2019-13623

HIGH

NSA Ghidra < 9.1 - Path Traversal and Arbitrary File Write via Archive Filename

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13623. PoCs published by Etienne Lacoche.

AI-analyzed exploit summary This exploit leverages CVE-2019-13623 in Ghidra by replacing the decompile binary with a malicious script that establishes a reverse shell. The exploit packages the binary into a .gar file, which when restored in Ghidra, executes the payload.

Description

In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis result is archived for sharing with other persons. To achieve arbitrary code execution, one approach is to overwrite some critical Ghidra modules, e.g., the decompile module.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Etienne Lacoche · pythonlocallinux

https://www.exploit-db.com/exploits/47231

View Code ZIP pw:eip

This exploit leverages CVE-2019-13623 in Ghidra by replacing the decompile binary with a malicious script that establishes a reverse shell. The exploit packages the binary into a .gar file, which when restored in Ghidra, executes the payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Ghidra <= 9.0.4

No auth needed

Prerequisites: Victim must restore the malicious .gar file in Ghidra · Attacker must have a netcat listener ready

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/NationalSecurityAgency/ghidra/issues/789

Exploit, Third Party Advisory x_refsource_misc

http://blog.fxiao.me/ghidra/

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/154015/Ghidra-Linux-9.0.4-Arbitrary-Code-Execution.html

Various Sources x_refsource_confirm

https://ghidra-sre.org/releaseNotes_9.1_final.html

Scores

CVSS v3 7.8

EPSS 0.0496

EPSS Percentile 91.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

nsa/ghidra < 9.0.4

Published Jul 17, 2019

Tracked Since Feb 18, 2026