DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24479: HUSTOJ Zip Slip: Sliding into RCE via Bad Math (and Worse Patches)

#security #cve #cybersecurity

HUSTOJ Zip Slip: Sliding into RCE via Bad Math (and Worse Patches)

Vulnerability ID: CVE-2026-24479
CVSS Score: 9.3
Published: 2026-01-27

A critical Path Traversal vulnerability (Zip Slip) in HUSTOJ's problem import functionality allows attackers to overwrite arbitrary files on the server. This leads directly to Remote Code Execution (RCE).

TL;DR

HUSTOJ, a popular Online Judge system, fails to sanitize filenames within uploaded ZIP archives in its QDUOJ and HOJ import modules. By uploading a crafted ZIP file containing directory traversal sequences (e.g., ../../shell.php), an unauthenticated attacker can write a PHP web shell to the server's web root. The vendor's patch attempts to fix this with a non-recursive str_replace, which is easily bypassed.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • Attack Vector: Network
  • CVSS v4.0: 9.3 (Critical)
  • Privileges Required: None
  • Impact: Remote Code Execution (RCE)
  • Patch Quality: Weak (Bypassable)

Affected Systems

  • HUSTOJ Online Judge System
  • HUSTOJ: < 26.01.24 (Fixed in: 26.01.24)

Code Analysis

Commit: 902bd09

Attempted fix using str_replace to remove directory traversal characters

--- a/trunk/web/admin/problem_import_qduoj.php
+++ b/trunk/web/admin/problem_import_qduoj.php
@@ -119,6 +119,7 @@ function import_json($json) {
     while ($dir_resource = zip_read($resource)) {
       if (zip_entry_open($resource,$dir_resource)) {
         $file_name = $path.zip_entry_name($dir_resource);
+        $file_name=str_replace('../', '', $file_name);
         $file_path = substr($file_name,0,strrpos($file_name, "/"));
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Standard Zip Slip exploitation using path traversal in archive entry names.

Mitigation Strategies

  • Restrict network access to admin import endpoints.
  • Implement robust file path validation using realpath() checks.
  • Disable the QDUOJ/HOJ import modules if not strictly necessary.

Remediation Steps:

  1. Upgrade HUSTOJ to version 26.01.24 (Caution: Patch is weak).
  2. Manually patch problem_import_qduoj.php to use realpath() validation.
  3. Configure WAF rules to block uploads containing ../ or ..\ sequences.

References

Read the full report for CVE-2026-24479 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)