CVE-2022-26315

## Vulnerability qrcp through version 0.8.4, when operating in receive mode, does not validate the file name provided by the uploader. An attacker can include ../ sequences in the file name, leading to a directory traversal vulnerability [1]. This affects versions up to and including 0.8.4 on all supported platforms (Windows, Linux).

Exploitation

An attacker acting as the uploader can craft an HTTP request with a file name containing path traversal sequences (e.g., ../../malicious.txt). The receiver's qrcp instance will write the file to the traversed path without validation, requiring no authentication or user interaction beyond initiating a receive operation [1].

Impact

Successful exploitation allows the attacker to write files to arbitrary locations outside the intended receive directory on the victim's filesystem. This could lead to overwriting critical system files or placing malicious payloads, potentially resulting in code execution, denial of service, or privilege escalation, depending on the write permissions of the qrcp process [1].

Mitigation

As of the publication date (2022-02-28), no official patch or fixed version has been released for this vulnerability. Users are advised to avoid using qrcp in receive mode with untrusted uploaders, or to manually validate file names before processing. The issue is tracked on GitHub [1].