Skip to main content

Suse CVE-2026-32733

MEDIUM
Path Traversal (CWE-22)
2026-03-20 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 23:01 vuln.today
CVE Published
Mar 20, 2026 - 22:37 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming DCC SEND requests. A remote IRC user could send a filename with path traversal sequences like ../../.ssh/authorized_keys and the file would be written outside the user's configured save_directory. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared sanitize_filename function.

AnalysisAI

Halloy, a Rust-based IRC application, contains a path traversal vulnerability in its DCC (Direct Client-to-Client) receive functionality that fails to sanitize filenames from incoming DCC SEND requests prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6. Remote IRC users can exploit this vulnerability to write files outside the configured save directory using path traversal sequences like ../../.ssh/authorized_keys, potentially allowing arbitrary file placement on the victim's system with zero user interaction if auto-accept is enabled. The vulnerability has been patched and is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Technical ContextAI

The vulnerability exists in Halloy's DCC SEND protocol handler, which is part of the IRC protocol suite used for direct peer-to-peer file transfers. DCC SEND requests include a filename parameter that was previously passed directly to file writing operations without validation against path traversal sequences. The root cause falls under CWE-22 (Path Traversal), where insufficient input validation allows an attacker to specify relative path components (../) to escape the intended save directory. The affected product is identified via CPE as cpe:2.3:a:squidowl:halloy:*:*:*:*:*:*:*:* with all versions prior to the patch commit being vulnerable. The fix implements a shared sanitize_filename function across all DCC receive code paths, likely normalizing the filename and removing or rejecting path traversal sequences.

RemediationAI

Upgrade Halloy to a version released at or after commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, which includes the sanitize_filename function across all DCC receive code paths. Consult https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89 for the specific release version that includes this patch and installation instructions. As a temporary workaround prior to patching, disable auto-accept functionality for DCC SEND requests to require manual confirmation before files are downloaded, reducing the attack surface. Additionally, review the DCC save directory configuration to ensure it is located on a filesystem partition with restricted write permissions where practical, and consider running Halloy with minimal filesystem privileges using containerization or sandboxing if available.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-32733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy