CVE-2023-43616
Description
An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Croc 9.6.5 allows a sender to overwrite files on the receiver's system by not prompting for confirmation during ZIP extraction.
Vulnerability
Overview
CVE-2023-43616 is a vulnerability in the Croc file-sharing utility through version 9.6.5. The issue arises from the lack of a user prompt before overwriting files during ZIP extraction on the receiver's side. A malicious sender can exploit this to force file overwrites without the receiver's consent [1][2].
Exploitation
Details
An attacker acting as a sender can craft a ZIP archive containing files with names that match existing files on the receiver's system. When the receiver accepts the transfer and Croc automatically extracts the ZIP archive, the application will overwrite the existing files without asking for confirmation. This requires the receiver to be in a state where file extraction proceeds automatically, which is the default behavior in Croc [2][3].
Impact
Successful exploitation allows an attacker to overwrite arbitrary files already present on the receiver's filesystem. This could lead to data corruption, replacement of critical configuration files, or planting of malicious content, depending on the filesystem location and permissions. The receiver may not immediately realize that files have been replaced [1][4].
Mitigation
Status
The upstream project has acknowledged the issue and developed a fix via a pull request (#698) that adds a prompt asking the receiver for permission before overwriting files during ZIP extraction [2]. Users are advised to update to a patched version once released, or manually verify transfers from untrusted senders.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/schollz/crocGo | < 9.6.16 | 9.6.16 |
Affected products
4- Croc/Crocdescription
- osv-coords3 versions
< 10.2.1-r4+ 2 more
- (no CPE)range: < 10.2.1-r4
- (no CPE)range: < 10.2.1-r4
- (no CPE)range: < 9.6.16
Patches
14929635eb875Merge pull request #698 from schollz/schollz/issue594
1 file changed · +10 −0
src/utils/utils.go+10 −0 modified@@ -453,6 +453,16 @@ func UnzipDirectory(destination string, source string) error { log.Fatalln(err) } + // check if file exists + if _, err := os.Stat(filePath); err == nil { + prompt := fmt.Sprintf("\nOverwrite '%s'? (y/N) ", filePath) + choice := strings.ToLower(GetInput(prompt)) + if choice != "y" && choice != "yes" { + fmt.Fprintf(os.Stderr, "skipping '%s'", filePath) + continue + } + } + dstFile, err := os.OpenFile(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) if err != nil { log.Fatalln(err)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8c8w-f7wp-2jr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43616ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/09/21/5ghsamailing-listWEB
- github.com/schollz/croc/commit/4929635eb875d2304e9415b8f4aa62af9e1a2339ghsaWEB
- github.com/schollz/croc/issues/594ghsaWEB
- github.com/schollz/croc/pull/698ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/08/2ghsaWEB
News mentions
0No linked articles in our index yet.