GHSA-cf92-gfcw-6v53

Source

https://github.com/advisories/GHSA-cf92-gfcw-6v53

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cf92-gfcw-6v53/GHSA-cf92-gfcw-6v53.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cf92-gfcw-6v53

Aliases

CVE-2026-42448

Published

2026-05-06T20:40:17Z

Modified

2026-05-06T20:49:04.504084Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed

Details

Impact

A receiver who specifies "--output <dir>" where that output directory currently exists (as a directory).

Patches

0.24.0 will contain the patch

Workarounds

Ensure local target directories specified by "--output" do not already exist

Resources

Private email and Signal communications from a user. Magic Wormhole thanks @marduc812

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": null,
    "severity": "LOW",
    "github_reviewed_at": "2026-05-06T20:40:17Z",
    "github_reviewed": true
}

References

Affected packages

PyPI / magic-wormhole

Package

Name: magic-wormhole; View open source insights on deps.dev
Purl: pkg:pypi/magic-wormhole

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.23.0

Fixed

0.24.0

Affected versions

0.*

0.23.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cf92-gfcw-6v53/GHSA-cf92-gfcw-6v53.json"