CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE

The unzipDirectory() function in packages/api/src/shell/unzipDirectory.js (line 27) does not validate that extracted file paths stay within the output directory. A malicious ZIP with ../ entries writes files anywhere on the filesystem.

In the default Docker deployment, DbGate runs as root and the none auth provider issues JWT tokens without credentials via POST /auth/login, so this is exploitable by any network-adjacent attacker.

Affected code:

packages/api/src/shell/unzipDirectory.js, line 27:

const destPath = path.join(outputDirectory, entry.fileName);
// No check that destPath stays within outputDirectory

Called from packages/api/src/controllers/archive.js, lines 291-293:

async unzip({ folder }) {
const newFolder = await this.getNewArchiveFolder({ database: folder.slice(0, -4) });
await unzipDirectory(path.join(archivedir(), folder), path.join(archivedir(), newFolder));

The archive controller also has zero permission checks and zero path traversal protection on any of its endpoints.

PoC:

import requests, zipfile, io

TARGET = "http://localhost:3000"