Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming DCC SEND requests. A remote IRC user could send a filename with path traversal sequences like ../../.ssh/authorized_keys and the file would be written outside the user's configured save_directory. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared sanitize_filename function.
AnalysisAI
Halloy, a Rust-based IRC application, contains a path traversal vulnerability in its DCC (Direct Client-to-Client) receive functionality that fails to sanitize filenames from incoming DCC SEND requests prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6. Remote IRC users can exploit this vulnerability to write files outside the configured save directory using path traversal sequences like ../../.ssh/authorized_keys, potentially allowing arbitrary file placement on the victim's system with zero user interaction if auto-accept is enabled. The vulnerability has been patched and is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Technical ContextAI
The vulnerability exists in Halloy's DCC SEND protocol handler, which is part of the IRC protocol suite used for direct peer-to-peer file transfers. DCC SEND requests include a filename parameter that was previously passed directly to file writing operations without validation against path traversal sequences. The root cause falls under CWE-22 (Path Traversal), where insufficient input validation allows an attacker to specify relative path components (../) to escape the intended save directory. The affected product is identified via CPE as cpe:2.3:a:squidowl:halloy:*:*:*:*:*:*:*:* with all versions prior to the patch commit being vulnerable. The fix implements a shared sanitize_filename function across all DCC receive code paths, likely normalizing the filename and removing or rejecting path traversal sequences.
RemediationAI
Upgrade Halloy to a version released at or after commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, which includes the sanitize_filename function across all DCC receive code paths. Consult https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89 for the specific release version that includes this patch and installation instructions. As a temporary workaround prior to patching, disable auto-accept functionality for DCC SEND requests to require manual confirmation before files are downloaded, reducing the attack surface. Additionally, review the DCC save directory configuration to ensure it is located on a filesystem partition with restricted write permissions where practical, and consider running Halloy with minimal filesystem privileges using containerization or sandboxing if available.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today