Vulnerability-Lookup

CVE-2026-32805 (GCVE-0-2026-32805)

Vulnerability from cvelistv5 – Published: 2026-03-18 22:24 – Updated: 2026-03-19 13:46

Title

Romeo is vulnerable to Archive Slip due to missing checks in sanitization

Summary

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.

Severity ?

8.3 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ctfer-io/romeo/security/adviso…	x_refsource_CONFIRM
	https://github.com/ctfer-io/romeo/commit/c2ebcfb9…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ctfer-io	romeo	Affected: < 0.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32805",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T13:46:46.532702Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-19T13:46:59.937Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "romeo",
          "vendor": "ctfer-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T22:24:29.102Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"
        },
        {
          "name": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263"
        }
      ],
      "source": {
        "advisory": "GHSA-p799-g7vv-f279",
        "discovery": "UNKNOWN"
      },
      "title": "Romeo is vulnerable to Archive Slip due to missing checks in sanitization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32805",
    "datePublished": "2026-03-18T22:24:29.102Z",
    "dateReserved": "2026-03-16T17:35:36.695Z",
    "dateUpdated": "2026-03-19T13:46:59.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-32805",
      "date": "2026-04-23",
      "epss": "0.00064",
      "percentile": "0.19863"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32805\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-18T23:17:30.213\",\"lastModified\":\"2026-03-24T21:26:26.890\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Romeo permite alcanzar una alta cobertura de c\u00f3digo en aplicaciones Go ?1.20, ya que ayuda a medir la cobertura de c\u00f3digo en pruebas funcionales y de integraci\u00f3n dentro de GitHub Actions. Antes de la versi\u00f3n 0.2.2, la funci\u00f3n `sanitizeArchivePath` en `webserver/api/v1/decoder.go` (l\u00edneas 80-88) era vulnerable a un bypass de recorrido de ruta debido a la falta de un separador de ruta final en la comprobaci\u00f3n `strings.HasPrefix`. Un archivo tar malicioso pod\u00eda escribir archivos fuera del directorio de destino previsto. La versi\u00f3n 0.2.2 corrige el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ctfer-io:romeo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.2.2\",\"matchCriteriaId\":\"34A1A13E-5E86-4A98-99D2-738F4014415D\"}]}]}],\"references\":[{\"url\":\"https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32805\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-19T13:46:46.532702Z\"}}}], \"references\": [{\"url\": \"https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-19T13:46:38.632Z\"}}], \"cna\": {\"title\": \"Romeo is vulnerable to Archive Slip due to missing checks in sanitization\", \"source\": {\"advisory\": \"GHSA-p799-g7vv-f279\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ctfer-io\", \"product\": \"romeo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279\", \"name\": \"https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263\", \"name\": \"https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Romeo gives the capability to reach high code coverage of Go \\u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-18T22:24:29.102Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32805\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T13:46:59.937Z\", \"dateReserved\": \"2026-03-16T17:35:36.695Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-18T22:24:29.102Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-32805

Vulnerability from fkie_nvd - Published: 2026-03-18 23:17 - Updated: 2026-03-24 21:26

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263	Patch
security-advisories@github.com	https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	ctfer-io	romeo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ctfer-io:romeo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "34A1A13E-5E86-4A98-99D2-738F4014415D",
              "versionEndExcluding": "0.2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Romeo permite alcanzar una alta cobertura de c\u00f3digo en aplicaciones Go ?1.20, ya que ayuda a medir la cobertura de c\u00f3digo en pruebas funcionales y de integraci\u00f3n dentro de GitHub Actions. Antes de la versi\u00f3n 0.2.2, la funci\u00f3n `sanitizeArchivePath` en `webserver/api/v1/decoder.go` (l\u00edneas 80-88) era vulnerable a un bypass de recorrido de ruta debido a la falta de un separador de ruta final en la comprobaci\u00f3n `strings.HasPrefix`. Un archivo tar malicioso pod\u00eda escribir archivos fuera del directorio de destino previsto. La versi\u00f3n 0.2.2 corrige el problema."
    }
  ],
  "id": "CVE-2026-32805",
  "lastModified": "2026-03-24T21:26:26.890",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T23:17:30.213",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-P799-G7VV-F279

Vulnerability from github – Published: 2026-03-16 20:47 – Updated: 2026-03-19 21:15

Summary

Romeo is vulnerable to Archive Slip due to missing checks in sanitization

Details

Summary

The sanitizeArchivePath function in webserver/api/v1/decoder.go (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory.

Vulnerable Code

File: webserver/api/v1/decoder.go, lines 80-88

func sanitizeArchivePath(d, t string) (v string, err error) {
    v = filepath.Join(d, t)
    if strings.HasPrefix(v, filepath.Clean(d)) {
        return v, nil
    }
    return "", &ErrPathTainted{
        Path: t,
    }
}

The function is called at line 48 inside [*Decompressor].Unzip, which is invoked by Decode (line 80) during execution of the webserver CLI (command download).

Root Cause

strings.HasPrefix(v, filepath.Clean(d)) does not append a trailing / to the directory prefix, causing a directory name prefix collision. If the destination is /home/user/extract-output and a tar entry is named ../extract-outputevil/pwned, the joined path /home/user/extract-outputevil/pwned passes the prefix check — it starts with /home/user/extract-output — even though it is entirely outside the intended directory.

Steps to Reproduce

Deploy Romeo. A measured app writes its coverage data.
Place the PoC zip on the PVC. Any pod with write access to the ReadWriteMany PVC (or the webserver itself) copies a poc-path-traversal.tar into the coverdir mount path. The archive contains legitimate coverage files alongside two crafted entries with path-traversal names.
Run the webserver CLI against the running webserver: webserver download \ --server http://localhost:8080 \ --directory /home/user/extract-output
Observe the bypass. unzip processes the zip stream. For the malicious entries: ``` // entry name: ../extract-outputevil/poc-proof.txt filepath.Join("/home/user/extract-output", "../extract-outputevil/poc-proof.txt") => "/home/user/extract-outputevil/poc-proof.txt"

strings.HasPrefix("/home/user/extract-outputevil/poc-proof.txt", "/home/user/extract-output") => true // BUG: prefix collision; file lands OUTSIDE target dir `` Both malicious entries are written outside/home/user/extract-output/`. The legitimate coverage files land correctly inside it.

Impact

Successful exploitation gives an attacker arbitrary file write on the machine running the webserver CLI. Real-world primitives include:

Overwriting ~/.bashrc / ~/.zshrc / ~/.profile for RCE on next shell login
Appending to ~/.ssh/authorized_keys for persistent SSH backdoor
Dropping a malicious entry into ~/.kube/config to hijack cluster access
Writing crontab entries for persistent scheduled execution

The attack surface is widened by the default ReadWriteMany PVC access mode, which means any pod in the cluster with the PVC mounted can inject the payload — not just the Romeo webserver itself.

Severity ?

8.3 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ctfer-io/romeo/webserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T20:47:02Z",
    "nvd_published_at": "2026-03-18T23:17:30Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory.\n\n## Vulnerable Code\n\nFile: `webserver/api/v1/decoder.go`, lines 80-88\n\n```go\nfunc sanitizeArchivePath(d, t string) (v string, err error) {\n\tv = filepath.Join(d, t)\n\tif strings.HasPrefix(v, filepath.Clean(d)) {\n\t\treturn v, nil\n\t}\n\treturn \"\", \u0026ErrPathTainted{\n\t\tPath: t,\n\t}\n}\n```\n\nThe function is called at line 48 inside `[*Decompressor].Unzip`, which is invoked by `Decode` (line 80) during execution of the webserver CLI (command `download`).\n\n## Root Cause\n\n`strings.HasPrefix(v, filepath.Clean(d))` does not append a trailing `/` to the directory prefix, causing a **directory name prefix collision**. If the destination is `/home/user/extract-output` and a tar entry is named `../extract-outputevil/pwned`, the joined path `/home/user/extract-outputevil/pwned` passes the prefix check \u2014 it starts with `/home/user/extract-output` \u2014 even though it is entirely outside the intended directory.\n\n## Steps to Reproduce\n\n1. **Deploy Romeo**. A measured app writes its coverage data.\n\n2. **Place the PoC zip on the PVC.** Any pod with write access to the `ReadWriteMany` PVC (or the webserver itself) copies a `poc-path-traversal.tar` into the `coverdir` mount path. The archive contains legitimate coverage files alongside two crafted entries with path-traversal names.\n\n3. **Run the webserver CLI against the running webserver:**\n   ```\n   webserver download \\\n     --server http://localhost:8080 \\\n     --directory /home/user/extract-output\n   ```\n\n4. **Observe the bypass.** `unzip` processes the zip stream. For the malicious entries:\n   ```\n   // entry name: ../extract-outputevil/poc-proof.txt\n   filepath.Join(\"/home/user/extract-output\", \"../extract-outputevil/poc-proof.txt\")\n     =\u003e \"/home/user/extract-outputevil/poc-proof.txt\"\n\n   strings.HasPrefix(\"/home/user/extract-outputevil/poc-proof.txt\",\n                     \"/home/user/extract-output\")\n     =\u003e true   // BUG: prefix collision; file lands OUTSIDE target dir\n   ```\n   Both malicious entries are written outside `/home/user/extract-output/`. The legitimate coverage files land correctly inside it.\n\n## Impact\n\nSuccessful exploitation gives an attacker arbitrary file write on the machine running the webserver CLI. Real-world primitives include:\n\n- Overwriting `~/.bashrc` / `~/.zshrc` / `~/.profile` for RCE on next shell login\n- Appending to `~/.ssh/authorized_keys` for persistent SSH backdoor\n- Dropping a malicious entry into `~/.kube/config` to hijack cluster access\n- Writing crontab entries for persistent scheduled execution\n\nThe attack surface is widened by the default `ReadWriteMany` PVC access mode, which means any pod in the cluster with the PVC mounted can inject the payload \u2014 not just the Romeo webserver itself.",
  "id": "GHSA-p799-g7vv-f279",
  "modified": "2026-03-19T21:15:42Z",
  "published": "2026-03-16T20:47:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32805"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ctfer-io/romeo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": " Romeo is vulnerable to Archive Slip due to missing checks in sanitization"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32805 (GCVE-0-2026-32805)

FKIE_CVE-2026-32805

GHSA-P799-G7VV-F279

Summary

Vulnerable Code

Root Cause

Steps to Reproduce

Impact

Tags

Sightings

Nomenclature