CVE-2024-42471

HIGH

actions/artifact <2.1.2 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-42471. PoCs published by cybersploit, theMcSam.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file write vulnerability in unzip-stream 0.3.1 by crafting a malicious ZIP file with a path traversal payload in the arcname parameter. It bypasses Python's zipfile module restrictions to achieve directory traversal during extraction.

Description

actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue.

Exploits (2)

exploitdb WORKING POC

by cybersploit · pythonlocalnodejs

https://www.exploit-db.com/exploits/52276

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file write vulnerability in unzip-stream 0.3.1 by crafting a malicious ZIP file with a path traversal payload in the arcname parameter. It bypasses Python's zipfile module restrictions to achieve directory traversal during extraction.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: unzip-stream 0.3.1

No auth needed

Prerequisites: Python environment · Modification of Python's zipfile module · Write access to target directory

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by theMcSam · poc

https://github.com/theMcSam/CVE-2024-42471-PoC

View Code ZIP pw:eip

This PoC demonstrates a directory traversal vulnerability in unzip-stream 0.3.1, allowing arbitrary file write/overwrite via a maliciously crafted ZIP archive. The exploit leverages Python's zipfile module to create a ZIP with a path traversal payload.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: unzip-stream 0.3.1

No auth needed

Prerequisites: Python environment · Ability to create/modify ZIP files · Target system with vulnerable unzip-stream version

MITRE ATT&CK

T1059.007 - JavaScript T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3

Issue Tracking x_refsource_misc

https://github.com/actions/toolkit/pull/1666

Not Applicable x_refsource_misc

https://snyk.io/research/zip-slip-vulnerability

Scores

CVSS v3 7.3

EPSS 0.0541

EPSS Percentile 90.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

actions/artifact 2.0.0 - 2.1.2npm

github/actions\/artifact 2.0.0 - 2.1.7

github/actions_toolkit

Published Sep 02, 2024

Tracked Since Feb 18, 2026