Full Report
Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2026-13165) has been found in SzafirHost software.
Analysis Summary
# Vulnerability: Remote Code Execution via Malicious Archive Injection in SzafirHost
## CVE Details
- **CVE ID**: CVE-2026-13165
- **CVSS Score**: Not explicitly provided (Estimated High/Critical based on RCE impact)
- **CWE**: CWE-434 (Unrestricted Upload of File with Dangerous Type) / Related to CWE-347 (Improper Verification of Cryptographic Signature)
## Affected Systems
- **Products**: SzafirHost (by Krajowa Izba Rozliczeniowa)
- **Versions**: All versions prior to 1.2.2
- **Configurations**: Default installations utilizing the native library download and update mechanism.
## Vulnerability Description
The vulnerability stems from a discrepancy in how SzafirHost processes Java Archive (JAR) files. The software utilizes two different parsers for verification and extraction:
1. **Verification**: Uses the `JarFile` parser, which reads the **Central Directory** of the archive to validate signatures.
2. **Extraction**: Uses the `JarInputStream` parser, which reads files **sequentially** from local file headers.
An attacker can craft a malicious archive where a dangerous payload (such as a `.dll`, `.so`, or `.dylib` file) is inserted between the last legitimate entry and the Central Directory. Because the signature verifier only checks entries listed in the Central Directory, it deems the archive valid. However, the extractor reads the injected malicious file sequentially and writes it to the native temporary directory without hash verification.
## Exploitation
- **Status**: Disclosed via Coordinated Vulnerability Disclosure (CVD); no reported exploitation in the wild at this time.
- **Complexity**: Medium (Requires man-in-the-middle or control over the server serving the library updates).
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: High (Potential full system access)
- **Integrity**: High (Replacement of system/application libraries)
- **Availability**: High (System compromise or service disruption)
- **Result**: Remote Code Execution (RCE).
## Remediation
### Patches
- **SzafirHost version 1.2.2**: This version addresses the parser discrepancy and implements proper checks. Users should upgrade immediately.
### Workarounds
- No specific workarounds provided; upgrading to the patched version is the recommended course of action.
## Detection
- **Indicators of Compromise**: Monitor for unexpected `.dll`, `.so`, or `.dylib` files created in the application's temporary directories.
- **Detection Methods**: Security tools should inspect JAR files for discrepancies between Local File Headers and the Central Directory (often referred to as "JarBleed" or "Zip Slip" style anomalies).
## References
- **KIR / Szafir**: hxxps[://]www[.]kir[.]pl/
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/cve/CVE-2026-13165/
- **CVE Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-13165
- **CWE-434**: hxxps[://]cwe[.]mitre[.]org/data/definitions/434[.]html