We aresecurity engineerswho break bits and tell stories.Visit usdoyensec.comFollow us@doyensecEngage usinfo@doyensec.com © 2026Doyensec LLC This research was recently presented atBSides Luxembourg 2026. This blogpost documents our findings presented during the talk. The BSides slides are postedhere. Today, we’re also releasing the Docker-based playground utilized for the demos so anyone interested can reproduce the findings locally:doyensec/cfitsio-efs-playground. In ourprevious poston CFITSIO, we wrote about the AI-assisted fuzzing pipeline and the memory corruption issues found in its Extended Filename Syntax (EFS). This was only half of the story. We kept thinking that even without memory issues, EFS seems like a pretty powerful and rather risky feature. The EFS page is full of very interestinguse cases. To quote some of them (emphasis mine): ‘rawfile.dat[i512,512]’: reads raw binary data array (a 512x512 short integer array in this case) andconverts it on the flyinto a temporary FITS image in memory which isthen openedby the application program. ‘ftp://heasarc.gsfc.nasa.gov/test/vela.fits’: FITS files in anyftp archive site on the internetmay be opened with read-only access. Files withHTTP addressesmay be opened in the same way. ‘myfile.fits[EVENTS][PHA > 5]’:creates and opens a temporary FITS filesthat is identical to ‘myfile.fits’ except that the EVENTS table will only contain the rows that have values of the PHA column greater than 5. In general, anyarbitrary boolean expression using a C or Fortran-like syntax, which may… That surely looks promising, right? Therefore, this post is about the next batch of findings. This time, there are no heap overflows or stack corruptions to discuss. We’ll focus on perfectly documented features, useful during file processing, but chained together to achieve some unexpected offensive primitives. This article is not meant to criticize CFITSIO’s authors or its code. I actively use tools that depend on CFITSIO and appreciate the work behind them. What interests me here is how perfectly reasonable legacy features can become real security problems once the surrounding software and threat model change. As demonstrated, EFS is more than a mere filename parser. It is a mini-language hidden inside a filename parameter, capable of doing very interesting stuff. To understand how it works, we have to look into the source code. When an EFS-enabled method is used, the input string eventually reaches CFITSIO’s internalffopen()routine, which runs it through EFS parsing logic before the actual file is opened. At that stage, parts of the string may be reinterpreted as a protocol, outfile clause, extension selector, or filter expression. The implementation isdriver-based. CFITSIO keeps a table of registered backends throughfits_register_driver, each associated with a prefix and a set of handler functions such ascheckfile,open,create,seek,read, andwrite. Besides standard files, CFITSIO registers handlers for things likemem://,shmem://,http://,ftps://, and even exotic variants likeftpsmem://,ftpfile://, orftpscompress://. This is why EFS can seamlessly jump between local files, memory-backed files, compressed variants, and network protocols without the caller doing anything special. Some of those drivers may implementwrite,createorseekmethods, some may not. To achieve interesting primitives, we need to carefully review what’s available and what’s not. To simplify testing and demonstrating while ensuring reproducibility, we built a minimal Docker playground around CFITSIO. The container includes a tiny helper program calledfits-sample-opener. In the insecure mode, it just callsfits_open_file, performs one harmless metadata query, and exits. The helper does almost nothing on purpose. If opening a file causes a network request, a local file copy, or outbound exfiltration, that behavior comes from CFITSIO itself. That additional metadata query is there for a reason: some EFS behaviors do not fully materialize on the initial open alone. We wanted the sample application to stay minimal while still triggering side effects like a real caller that actually inspects the file it just opened. The full environment, including the helper program, building instructions, and the fakeroot://server used later in this post, is availablehere. Make sure to target the right git tag/release as EFS handling might change in the future.