CVE-2026-32733 in halloy
Summary
by MITRE • 03/21/2026
Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-32733 affects Halloy, an IRC application developed in Rust that facilitates direct client-to-client communication through the DCC protocol. This flaw resides in the DCC receive functionality where the application fails to properly validate and sanitize filenames received from remote IRC users during DCC SEND operations. The issue represents a classic path traversal vulnerability that allows malicious actors to manipulate file paths and write content to arbitrary locations on the victim's filesystem. The vulnerability specifically impacts versions prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 where the application processes incoming DCC SEND requests without adequate input validation.
The technical implementation of this vulnerability stems from the application's failure to sanitize user-supplied filenames before writing files to disk. When a remote IRC user sends a DCC SEND request containing a filename with path traversal sequences such as `../../.ssh/authorized_keys`, the application interprets these sequences literally and writes the file to the specified location outside the intended save directory. This behavior occurs because the application does not perform proper input sanitization or canonicalization of file paths, allowing attackers to escape the designated storage boundaries. The vulnerability is particularly dangerous because it operates entirely within the IRC protocol's DCC framework, which is designed for direct peer-to-peer file transfers, making it difficult to detect and prevent through traditional network monitoring approaches.
The operational impact of this vulnerability extends beyond simple file system manipulation to potentially compromise system security and privacy. When combined with the auto-accept feature, which automatically accepts incoming DCC SEND requests without user confirmation, the vulnerability becomes a zero-click attack vector. An attacker can remotely place malicious files in sensitive system directories such as `.ssh` folders, potentially enabling persistent access through authorized_keys modification or other privilege escalation techniques. The vulnerability affects any user running Halloy with auto-accept enabled, making it particularly concerning for users who frequently receive files from unknown or untrusted IRC sources. This issue aligns with CWE-22 Path Traversal vulnerability classification and represents a significant security risk within the context of IRC communication protocols and file transfer mechanisms.
The fix implemented in commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 addresses this vulnerability by introducing a centralized `sanitize_filename` function that processes all file paths before they are written to disk. This approach follows the principle of least privilege and input validation, ensuring that all potential code paths properly handle user-supplied filenames. The solution demonstrates good security engineering practices by implementing a shared sanitization function rather than patching individual code locations, which reduces the likelihood of similar vulnerabilities in other parts of the application. This remediation strategy aligns with ATT&CK technique T1059.007 for executing commands through scripting languages and reflects proper secure coding practices recommended for preventing path traversal attacks in network applications. The fix effectively neutralizes the vulnerability by preventing path traversal sequences from being interpreted as valid file system paths, thereby protecting users from unauthorized file system modifications and potential privilege escalation attacks.