GHSA-g4v6-69p6-q3p4
HIGHWiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM
Blast Radius
PanelSwWix4.SdkReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected against low privilege users.
Details
When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges.
icacls c:\windows\temp
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
Built in users(non-administrators) have special permissions to this folder and can create files and write to this directory. While they do not have explicit read permissions, there is a way they can monitor the changes to this directory using ReadDirectoryChangesW API and thus figure out randomized folder names created inside this directory as wel
PoC
PoC works against the against visual studio enterprise with update 3 installer
Reproduction steps
As a standard user, run the poc. Mount the iso and run visual studio installer as local system account. The PoC should hijack the the binaries dropped by vs installer and a child process "notepad.exe" will be running.
Impact
This is an Elevation of Privilege Vulnerability where a low privileged user can hijack binaries in an unprotected path C:\Windows\Temp to elevate to the SYSTEM user privileges.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| .NETNuGet | PanelSwWix4.Sdk | all versions | 5.0.0-psw-wix.0265-49 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for PanelSwWix4.Sdk. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update PanelSwWix4.Sdk to 5.0.0-psw-wix.0265-49 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-g4v6-69p6-q3p4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-g4v6-69p6-q3p4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-g4v6-69p6-q3p4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-g4v6-69p6-q3p4 in your dependencies?
O3 detects GHSA-g4v6-69p6-q3p4 across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.