A critical combination of Zip Slip and TOCTOU vulnerabilities in the AGL app-framework-main allows unauthenticated attackers to write arbitrary files to the filesystem.

The application fails to block dot-notation traversal sequences in ZIP entries and performs file extraction before signature verification. This allows an attacker to write files anywhere on the system, with the malicious files persisting even if signature verification fails.

This vulnerability provides an attacker with the ability to overwrite critical system files or place malicious executables, leading to full system compromise. The CVSS score of 9.8 highlights the severity of this flaw in the widget installation flow.

Immediate Action: Upgrade to the latest version of the AGL app-framework-main to ensure secure extraction and signature validation.

Proactive Monitoring: Monitor filesystem integrity and watch for the creation of unauthorized files in sensitive directories during the widget installation process.

Compensating Controls: Restrict the service account running the app-framework-main to the minimum necessary filesystem permissions to prevent unauthorized writes.

Public Exploit Available: No

Immediate patching is required to address the insecure file handling in the installation process. Failure to update may allow attackers to bypass security controls and achieve persistence on the affected device.