AGL app-framework-main through version 17.1.12 contains a critical Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation process. The vulnerability allows attackers to write files anywhere on the filesystem due to insufficient validation of ZIP entry names in the is_valid_filename function. The zread extraction function executes before signature verification, meaning malicious files persist even if signature checks fail. This creates a serious security risk where unsigned or malicious widgets can achieve arbitrary file write capabilities on the target system.