CVE-2026-32805 in romeo
Summary
by MITRE • 03/19/2026
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32805 affects the Romeo tool, which is designed to facilitate code coverage measurement for go applications within github actions environments. This tool serves as a critical component in software development workflows where automated testing and quality assurance are paramount. The vulnerability specifically resides within the webserver api v1 decoder module, where the sanitizearchivepath function fails to properly validate file paths during archive extraction processes. This flaw represents a path traversal vulnerability that could potentially allow malicious actors to write files outside the intended destination directory, undermining the security boundaries of the testing environment.
The technical root cause of this vulnerability stems from an insufficient validation mechanism within the sanitizearchivepath function located in webserver/api/v1/decoder.go at lines 80-88. The implementation relies on strings.hasprefix checks without properly accounting for trailing path separators, creating a bypass opportunity for attackers who craft malicious tar archives. This specific implementation flaw aligns with CWE-22 Path Traversal vulnerability classification, which occurs when applications fail to properly validate or sanitize file paths, allowing attackers to traverse the file system beyond intended directories. The missing trailing path separator in the prefix check means that a crafted archive entry could potentially bypass the intended directory restriction by exploiting the way path components are compared, particularly when dealing with directory traversal sequences.
The operational impact of this vulnerability extends beyond simple code coverage measurement capabilities, as it introduces a potential security risk within the ci/cd pipeline environment where the tool operates. An attacker who can influence the tar archive content could potentially write malicious files to arbitrary locations on the system, leading to unauthorized code execution, data exfiltration, or system compromise. This risk is particularly concerning in automated testing environments where the tool may run with elevated privileges or access to sensitive development artifacts. The vulnerability affects go applications targeting version 1.20 and above, making it relevant to a significant portion of modern go development workflows that utilize github actions for continuous integration processes.
The fix implemented in version 0.2.2 addresses the core issue by ensuring proper path validation through the addition of trailing path separators in the strings.hasprefix checks. This remediation aligns with established security practices for preventing path traversal attacks and follows the principle of least privilege by ensuring that extracted files remain confined to their intended directories. Organizations using Romeo tool should immediately upgrade to version 0.2.2 or later to mitigate this vulnerability, particularly those with automated testing environments where untrusted archive content may be processed. The fix demonstrates the importance of proper input validation and path sanitization in security-critical applications, as highlighted by various security frameworks including the owasp top ten and mitre attack framework categories related to path traversal and privilege escalation techniques.
This vulnerability represents a critical security concern for development teams relying on automated testing infrastructure, as it could potentially be exploited to compromise the integrity of the entire ci/cd pipeline. The attack surface is particularly relevant in environments where multiple developers contribute to projects and may inadvertently introduce malicious content into test archives. Security practitioners should monitor for any potential exploitation attempts and consider implementing additional security controls such as sandboxed execution environments for processing untrusted archive content. The remediation process also underscores the importance of regular security audits and code reviews specifically targeting input validation mechanisms within automated tooling that processes external data sources.