CVE-2026-32805 Overview
CVE-2026-32805 is a path traversal vulnerability affecting Romeo, a code coverage tool designed to help measure code coverage for functional and integration tests within GitHub Actions for Go ≥1.20 applications. The vulnerability exists in the sanitizeArchivePath function located in webserver/api/v1/decoder.go (lines 80-88), which is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. This flaw allows a crafted tar archive to write files outside the intended destination directory.
Critical Impact
Attackers can exploit this path traversal vulnerability to write arbitrary files outside the intended extraction directory, potentially leading to code execution or system compromise through malicious file placement.
Affected Products
- Romeo versions prior to 0.2.2
- Go applications using Romeo for code coverage (Go ≥1.20)
- GitHub Actions workflows utilizing vulnerable Romeo versions
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32805 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32805
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), a common weakness where improper limitation of a pathname to a restricted directory allows attackers to access files outside the intended boundaries. The flaw exists because the sanitizeArchivePath function uses strings.HasPrefix to validate that the resolved file path remains within the designated destination directory, but fails to include a trailing path separator in the comparison.
Without the trailing separator, an attacker can craft archive entries with paths that share a common prefix with the destination directory but resolve to locations outside it. For example, if the destination is /tmp/extract, a malicious path like /tmp/extract_malicious/payload would pass the prefix check since it starts with /tmp/extract, but would write to an entirely different directory.
Root Cause
The root cause of this vulnerability is the incomplete path validation in the sanitizeArchivePath function. The original implementation checked if the resolved path started with the cleaned destination directory path, but did not append the OS-specific path separator before performing the prefix comparison. This oversight creates a classic "Zip Slip" vulnerability pattern where archive entries can escape the intended extraction directory.
Attack Vector
This vulnerability is exploitable over the network with low attack complexity and requires no authentication or user interaction. An attacker can craft a malicious tar or zip archive containing specially crafted file paths that bypass the sanitization check. When the Romeo application processes this archive, files can be written to arbitrary locations on the file system, potentially overwriting critical system files, injecting malicious code into application directories, or establishing persistence mechanisms.
// Vulnerable code (before fix):
func sanitizeArchivePath(d, t string) (v string, err error) {
v = filepath.Join(d, t)
if strings.HasPrefix(v, filepath.Clean(d)) {
return v, nil
}
return "", &ErrPathTainted{
Path: t,
}
}
// Fixed code (after patch):
// Based upon https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title
func sanitizeArchivePath(destination, filePath string) (destpath string, err error) {
destpath = filepath.Join(destination, filePath)
if !strings.HasPrefix(destpath, filepath.Clean(destination)+string(os.PathSeparator)) {
return destpath, &ErrPathTainted{
Path: destination,
}
}
return
}
Source: GitHub Commit c2ebcfb9f305fd5f6ef68858de82507dbac10263
Detection Methods for CVE-2026-32805
Indicators of Compromise
- Unexpected files appearing outside designated extraction directories on systems running Romeo
- Archive processing logs showing unusual or suspicious file paths with directory traversal patterns
- New or modified files in sensitive system directories following archive extraction operations
Detection Strategies
- Monitor file system activity during Romeo archive extraction operations for writes outside expected directories
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
- Review application logs for path traversal attempts or ErrPathTainted errors indicating blocked exploitation attempts
Monitoring Recommendations
- Enable verbose logging in Romeo deployments to capture archive extraction activities
- Set up alerts for file creation events in parent directories of designated extraction paths
- Monitor GitHub Actions workflow logs for anomalous Romeo behavior or unexpected file operations
How to Mitigate CVE-2026-32805
Immediate Actions Required
- Upgrade Romeo to version 0.2.2 or later immediately to address this vulnerability
- Audit systems running vulnerable Romeo versions for evidence of exploitation or unauthorized file modifications
- Review any archives processed by vulnerable Romeo installations for malicious content
Patch Information
The vulnerability has been fixed in Romeo version 0.2.2. The patch adds the OS-specific path separator (string(os.PathSeparator)) to the destination path before performing the prefix check, ensuring that archive entries cannot escape the intended extraction directory. The fix can be reviewed in the GitHub commit c2ebcfb9f305fd5f6ef68858de82507dbac10263 and the security advisory is available at GHSA-p799-g7vv-f279.
Workarounds
- If immediate patching is not possible, restrict network access to Romeo instances to trusted sources only
- Validate all input archives before processing with Romeo using external archive inspection tools
- Run Romeo in containerized or sandboxed environments to limit potential impact of exploitation
# Upgrade Romeo to patched version
go get github.com/ctfer-io/romeo@v0.2.2
# Verify installed version
go list -m github.com/ctfer-io/romeo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
