Path Traversal Vulnerability in Mod Organizer 2

[Sjift]

Path Traversal Vulnerability in Mod Organizer

Affected Versions

• Test Version: Mod Organizer v2.5.2 (Latest Stable Version)
• Affected Versions: Presumed to be all versions v2.5.2 and earlier

---

Summary

A path traversal vulnerability was identified in Mod Organizer 2. When the application processes compressed archives containing absolute file paths, it fails to properly sanitize the entries, allowing files to be written to arbitrary locations on the host system. This enables unauthorized file creation outside the user-selected extraction directory.

---

Proof of Concept (PoC)

A test archive demonstrating the vulnerability is included as:
poc_path_traversal.zip

Compressed file contents:

Archive Entry Path: C:/test/poc_evidence.txt
File Content: "Path Traversal Proof of Concept"

When this compressed file is extracted using Mod Organizer 2, the file is written to C:\test\poc_evidence.txt instead of within the user-specified extraction directory.

---

Reproduction Steps

Environment

• Operating System: Windows 11 25H2 (26200.7171)
• Application: Mod Organizer v2.5.2
• Test File: poc_path_traversal.zip

Reproduction Steps

1. Launch Mod Organizer 2

   

2. Attempt to install the attached poc_path_traversal.zip file via the Install Mod feature

   

3. Verify that the file is created at C:\test\poc_evidence.txt instead of within the intended extraction directory

   

---

Proposed Fix

The following security measures must be implemented when extracting compressed files:

1. Block absolute paths

• Reject paths starting with drive letters (e.g., C:, D:)
• Remove leading slashes (/) or backslashes (\\) indicating root paths

2. Verify extraction paths

• Ensure all files' final extraction paths are within the user-specified extraction directory
• Reject extraction and warn the user for paths outside the extraction directory

[AnyOldName3]

This isn't a vulnerability. We make no claims of robustness if you feed arbitrary or malicious data to MO2, so users are supposed to vet everything themselves (or, more realisticly, rely on the fact that the Nexus puts everything uploaded to it through VirusTotal and manually removes everything reported as malware by users despite passing the automated checks). If you start maliciously crafting files to make MO2 do unintended things, you'll be able to find plenty of much bigger problems than this one, such as the fact that plenty of mod packaging formats inherently require arbitrary code execution, so if you put a DLL with the right entrypoint in the right place in a zip, we've got no choice but to run it.

However, it's definitely a bug that the file ends up extracted to C:\test\poc_evidence.txt instead of C:\users\USERNAME\AppData\Local\ModOrganizer\Subnautica\mods\poc_path_traversal\C_\test\poc_evidence.txt