Overview: 1 vulnerability

WSA Score Severity Issue Vulnerability type Scope Versions Fix Release date
WSA-2026-6 9.3
Write of DCC file received outside of configured download path. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Xfer 0.0.8 → 4.9.1 4.9.2

WSA-2026-6: [Xfer] Write of DCC file received outside of configured download path.

Vulnerability
CVE
Not available
CVSS vector
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H (detail)
CVSS score
9.3 / 10
Severity
critical
Vulnerability type
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (detail)
Scope
Xfer
Affected versions
0.0.8 → 4.9.1
Fixed version
4.9.2 () - ChangeLog
Tracker
issue #2321
Commits
Commit
Description
When receiving a DCC file, the filename built contains the remote nick (the option xfer.file.use_nick_in_filename is on by default).
If the nick contains special characters, the file could be written outside of the configured download path.
Xfer never overwrites existing files, so if a file exists with the same name, a suffix like ".1" is appended to the filename.
Mitigation
Turn off option to include nick in filename: /set xfer.file.use_nick_in_filename off.
Credit
The issue was discovered by aizu-m.

GitHub Mastodon X

Copyright © 2003-2026 Sébastien HelleuAbout WeeChat.org — Theme: dark (light)