Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
A receiver who specifies "--output <dir>" where that output directory currently exists (as a directory).
Patches
0.24.0 will contain the patch
Workarounds
Ensure local target directories specified by "--output" do not already exist
Resources
Private email and Signal communications from a user. Magic Wormhole thanks @marduc812
AnalysisAI
Path traversal vulnerability in Magic Wormhole receive command allows authenticated attackers to write files outside the intended output directory when the specified output directory already exists, enabling arbitrary file write with low complexity via network delivery of a specially crafted transfer request.
Technical ContextAI
Magic Wormhole is a Python-based secure file transfer utility that uses a rendezvous server and SPAKE2 key exchange to establish encrypted channels between sender and receiver. The vulnerability exists in the receive command's handling of the '--output' parameter (CPE: pkg:pip/magic-wormhole). The root cause is a path traversal flaw (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the application fails to properly validate that file writes remain within the intended output directory when that directory pre-exists. The issue manifests when a receiver specifies an existing directory as the output target, allowing the sender to craft a transfer with embedded path traversal sequences (e.g., '../') that cause files to be written to arbitrary locations on the receiver's filesystem, bypassing the intended directory containment.
RemediationAI
Upgrade Magic Wormhole to version 0.24.0 or later immediately. Install the patched version using pip: 'pip install --upgrade magic-wormhole>=0.24.0'. For users unable to upgrade immediately, apply the workaround documented by the vendor: ensure that local target directories specified by the '--output' parameter do not already exist before initiating a receive operation. Create output directories dynamically during the receive operation rather than pre-creating them, or use a fresh temporary directory for each receive session. Note that this workaround changes user workflow and is intended only as a temporary measure pending upgrade. The patch version 0.24.0 is available from the official PyPI repository and can be verified via the GitHub repository at https://github.com/magic-wormhole/magic-wormhole/releases.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31947
GHSA-cf92-gfcw-6v53