Skip to main content

Magic Wormhole EUVDEUVD-2026-31947

| CVE-2026-42448 LOW
Path Traversal (CWE-22)
2026-05-06 https://github.com/magic-wormhole/magic-wormhole GHSA-cf92-gfcw-6v53
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 21:31 vuln.today
Analysis Generated
May 06, 2026 - 21:31 vuln.today
CVE Published
May 06, 2026 - 20:40 nvd
LOW 3.5

DescriptionGitHub Advisory

Impact

A receiver who specifies "--output <dir>" where that output directory currently exists (as a directory).

Patches

0.24.0 will contain the patch

Workarounds

Ensure local target directories specified by "--output" do not already exist

Resources

Private email and Signal communications from a user. Magic Wormhole thanks @marduc812

AnalysisAI

Path traversal vulnerability in Magic Wormhole receive command allows authenticated attackers to write files outside the intended output directory when the specified output directory already exists, enabling arbitrary file write with low complexity via network delivery of a specially crafted transfer request.

Technical ContextAI

Magic Wormhole is a Python-based secure file transfer utility that uses a rendezvous server and SPAKE2 key exchange to establish encrypted channels between sender and receiver. The vulnerability exists in the receive command's handling of the '--output' parameter (CPE: pkg:pip/magic-wormhole). The root cause is a path traversal flaw (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the application fails to properly validate that file writes remain within the intended output directory when that directory pre-exists. The issue manifests when a receiver specifies an existing directory as the output target, allowing the sender to craft a transfer with embedded path traversal sequences (e.g., '../') that cause files to be written to arbitrary locations on the receiver's filesystem, bypassing the intended directory containment.

RemediationAI

Upgrade Magic Wormhole to version 0.24.0 or later immediately. Install the patched version using pip: 'pip install --upgrade magic-wormhole>=0.24.0'. For users unable to upgrade immediately, apply the workaround documented by the vendor: ensure that local target directories specified by the '--output' parameter do not already exist before initiating a receive operation. Create output directories dynamically during the receive operation rather than pre-creating them, or use a fresh temporary directory for each receive session. Note that this workaround changes user workflow and is intended only as a temporary measure pending upgrade. The patch version 0.24.0 is available from the official PyPI repository and can be verified via the GitHub repository at https://github.com/magic-wormhole/magic-wormhole/releases.

Share

EUVD-2026-31947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy