github byrongamatos/slopsmith-desktop v0.2.9-alpha.5
on GitHub

4 hours ago

Caution

This is a security release. Update immediately.

A path-traversal vulnerability in Slopsmith's archive extractors allows arbitrary file write — and, with the default Docker configuration running as root, escalation to remote code execution via plugin drop. Every prior 0.2.x release is affected, including v0.2.8 stable and all 0.2.9 alphas (.1 through .4). Their release assets have been removed from GitHub. v0.2.9-alpha.5 is the only safe build.

What's fixed

Path traversal in archive extractorsslopsmith#382

PSARC TOC filenames and sloppak ZIP member names were concatenated directly onto the extraction directory without validation in three places:

  • lib/psarc.py::unpack_psarc
  • lib/patcher.py::unpack_psarc
  • lib/sloppak.py::_unpack_zip (via bare ZipFile.extractall)

A crafted archive entry containing .. segments, an absolute path, or backslash separators could write files anywhere on the host filesystem reachable by the process. The affected surfaces are upload, click-to-play, retune, and PSARC→sloppak conversion — all reachable without authentication in a default local deployment. With Docker running as root (the default), an attacker who can cause Slopsmith to extract a crafted archive can write an arbitrary file into the plugin directory and trigger execution on the next page load.

The fix introduces lib/safepath.py::safe_join(root, name), which resolves the join, normalises backslash separators, and refuses any path that escapes the root or is otherwise unrepresentable (NUL bytes, OS errors). All three extractors and server.py::_resolve_dlc_path now route through it.

Credit and thanks to @michael-benedetti for discovering and reporting this vulnerability and for authoring the fix.

What to do

  1. Install or update to v0.2.9-alpha.5 immediately. The Velopack in-app updater on existing alpha installs will pick this up automatically on the alpha channel — open the app and check the App Updates section in Settings, or let the background check run.
  2. If you are on v0.2.8 stable or any earlier build, update via the links below. Those release assets have been removed.
  3. If you run a self-hosted instance, pull the latest Docker image after updating.

What to test

Security regression:

  • Craft (or use a known-bad) PSARC or ZIP archive containing a ../-escaped entry (e.g. ../../tmp/rce_probe). Attempt to load it via upload, click-to-play, retune, and PSARC→sloppak conversion. Expected: the extractor rejects the entry with a clear error; no file is written outside the extraction root.
  • Confirm the rejection message surfaces in the UI (toast or error response) rather than silently swallowing the error.

Regression / smoke:

  • Normal PSARC loading (click-to-play, retune) continues to work on a legitimate Rocksmith CDLC.
  • Normal sloppak loading and PSARC→sloppak conversion continue to work.
  • Upload of a valid .psarc completes without errors.

Changelog

slopsmith-desktop

One change since alpha.4 — the security version bump:

  • chore: bump version to 0.2.9-alpha.5 (security pre-release) — desktop#226

slopsmith core

5 PRs merged since alpha.4 (2026-05-23T12:25:51Z):

  • fix(security): reject path traversal in archive extractors — new lib/safepath.py::safe_join routes all three extractors through a bounds-checked join; server.py::_resolve_dlc_path also updated — #382 by @michael-benedetti
  • feat: Library Provider architecture — first-class LibraryProviderRegistry and LocalLibraryProvider wrapping the existing metadata DB; plugin-facing registration hooks; /api/library/providers endpoint; lays groundwork for remote library plugins browseable through the normal Library screen — #333 by @barlind
  • feat(settings): App Updates block at the top of Settings (desktop only) — moves Velopack channel/update controls out of the audio plugin panel into a top-level card on the main Settings page; hidden when the desktop bridge is absent so the web-only build is unaffected — #372
  • feat: Folder Organizer added to Available Plugins — collapsible folder tree with list/grid views, album art, live search, drag-and-drop, and folder management — #378 by @Elit3d
  • feat: NAM Rig Builder added to Available Plugins — maps Rocksmith 2014 tones to tone3000 NAM captures + IRs and plays each song through a full pedal → amp → cab neural chain; companion to the nam_tone engine plugin — #379 by @Jafz2001

Bundled plugins

No plugin repos received merged PRs between alpha.4 and alpha.5.

Contributors

@barlind, @byrongamatos, @Elit3d, @Jafz2001, @michael-benedetti

Full changelog: v0.2.9-alpha.4...v0.2.9-alpha.5

Check out latest releases or
releases around byrongamatos/slopsmith-desktop v0.2.9-alpha.5

Don't miss a new slopsmith-desktop release

NewReleases is sending notifications on new releases.

Get notifications