CVE-2026-32733 Overview
CVE-2026-32733 is a path traversal vulnerability affecting Halloy, an IRC application written in Rust. The vulnerability exists in the DCC (Direct Client-to-Client) receive flow, which failed to properly sanitize filenames from incoming DCC SEND requests. This allows a remote attacker to write files outside the user's configured save_directory by sending malicious filenames containing path traversal sequences.
Critical Impact
Remote attackers can write arbitrary files to sensitive locations on the victim's system, potentially enabling SSH key injection, credential theft, or remote code execution with zero user interaction when auto-accept is enabled.
Affected Products
- Halloy IRC Application (versions prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6)
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32733 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32733
Vulnerability Analysis
The vulnerability stems from improper input validation in Halloy's DCC file transfer implementation. When processing incoming DCC SEND requests from remote IRC users, the application accepted filenames directly without sanitization. This oversight allowed attackers to craft filenames containing directory traversal sequences (such as ../) that would escape the intended download directory.
The attack is particularly severe when Halloy's auto-accept feature is enabled, as the malicious file transfer completes without requiring any user interaction. An attacker could leverage this to overwrite critical system files or inject malicious content into sensitive directories like ~/.ssh/authorized_keys, effectively gaining persistent remote access to the victim's system.
Root Cause
The root cause is improper input validation (CWE-22: Path Traversal) in the DCC receive functionality. The application failed to strip or reject path traversal characters (../, ..\\) from incoming filenames before concatenating them with the user-configured save_directory path. This allowed attackers to navigate out of the intended directory structure and write files to arbitrary locations accessible by the user running Halloy.
Attack Vector
The attack can be executed remotely over the network by any IRC user who can send a DCC request to the victim. The attacker crafts a malicious DCC SEND request with a filename containing path traversal sequences. For example, sending a filename like ../../.ssh/authorized_keys would cause the file to be written two directories above the configured save directory and into the victim's SSH configuration folder.
The attack flow involves sending a crafted filename such as ../../.ssh/authorized_keys via DCC SEND protocol. With auto-accept enabled, the file is received and written to the traversed path without user confirmation, potentially enabling unauthorized SSH access or other system compromise.
Detection Methods for CVE-2026-32733
Indicators of Compromise
- Unexpected files appearing in sensitive directories such as ~/.ssh/, ~/.bashrc, or ~/.config/
- IRC logs showing DCC SEND requests with filenames containing ../ sequences
- New or modified authorized_keys files with unrecognized SSH public keys
- Unusual file write operations originating from the Halloy process outside the configured save directory
Detection Strategies
- Monitor file system activity for the Halloy process, alerting on any writes outside the configured save_directory
- Implement network-level detection rules for IRC traffic containing DCC SEND commands with path traversal patterns
- Deploy endpoint detection rules to identify processes writing to sensitive directories like .ssh/ or startup scripts
- Review Halloy logs for DCC file transfer requests with suspicious filename patterns
Monitoring Recommendations
- Enable file integrity monitoring on critical user directories including .ssh/, .config/, and home directory dotfiles
- Configure audit logging for file creation events in sensitive system locations
- Implement real-time alerting for new entries in authorized_keys files across managed systems
- Monitor for unusual network connections following DCC file transfers
How to Mitigate CVE-2026-32733
Immediate Actions Required
- Update Halloy to a version containing commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 or later
- Disable auto-accept for DCC file transfers until the application is updated
- Review recently received files and check for unauthorized modifications to sensitive system files
- Audit ~/.ssh/authorized_keys for any unauthorized public keys
Patch Information
The Halloy development team addressed this vulnerability in commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6. The fix introduces a shared sanitize_filename function that strips path traversal sequences from all incoming filenames across identified code paths. Users should update to a version containing this commit to ensure protection against this vulnerability.
For detailed patch information, refer to the GitHub Commit Update and the GitHub Security Advisory GHSA-fqrv-rfg4-rv89.
Workarounds
- Disable DCC auto-accept functionality in Halloy configuration until updating is possible
- Manually inspect all incoming DCC file transfer requests for suspicious filename patterns before accepting
- Run Halloy in a sandboxed environment or container with restricted write access to the file system
- Configure firewall rules to block direct DCC connections if DCC functionality is not required
# Configuration example
# Disable DCC auto-accept in Halloy configuration
# Edit your Halloy config.toml and ensure auto-accept is disabled:
# [dcc]
# auto_accept = false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
