CVE-2023-43619
Description
An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Croc file transfer utility through v9.6.5 allows a sender to place arbitrary new files (e.g., executables or .ssh/authorized_keys) on a receiver's system without the receiver's consent.
Vulnerability
Description
Croc is a peer-to-peer file transfer tool that uses a relay server and end-to-end encryption. In versions up to 9.6.5, a design flaw allows the sender to push files to the receiver without the receiver explicitly accepting them. The receiver's client does not validate whether the files being sent are expected or safe, enabling the sender to deliver arbitrary new files to the receiver's filesystem [1][2].
Exploitation
Scenario
The attack requires only that a sender and receiver establish a transfer session. The receiver typically uses a code to connect. Once the connection is made, the sender can transmit files that are not part of an agreed-upon transfer. The receiver's client automatically accepts and writes these files to disk in the receiver's current working directory or specified output path. No additional authentication or user interaction is needed to block the file write; the client processes all data from the sender by default [1][3].
Impact
An attacker in the sender role can write dangerous content to the receiver's system. For example, they could deliver executable binaries or scripts (e.g., .exe, .sh) or modify critical configuration files such as ~/.ssh/authorized_keys to gain persistent remote access. This effectively bypasses any intended file exchange consent and can lead to full compromise of the receiver's machine [2][3].
Mitigation
The issue is addressed in a pull request (#697) that implements a dangerous paths check, causing the client to quit when it detects attempts to write files to sensitive locations [3]. The upstream author has acknowledged the issue but has not yet released a patched version. Users are advised to update to the latest available fix or exercise extreme caution when receiving files from untrusted senders. The CVE remains unpatched in the latest stable release (9.6.5) [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/schollz/croc/v9Go | < 9.6.16 | 9.6.16 |
Affected products
4- Croc/Crocdescription
- osv-coords3 versions
< 10.0.0-r0+ 2 more
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 9.6.16
Patches
13f12f75fae2eMerge pull request #697 from schollz/issue593
2 files changed · +37 −0
src/croc/croc.go+16 −0 modified@@ -1092,6 +1092,22 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer c.TotalNumberFolders = senderInfo.TotalNumberFolders c.FilesToTransfer = senderInfo.FilesToTransfer + for i, fi := range c.FilesToTransfer { + // Issues #593 - sanitize the sender paths and prevent ".." from being used + c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote) + if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") { + return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) + } + // Issues #593 - disallow specific folders like .ssh + if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") { + return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) + } + // Issue #595 - disallow filenames with anything but 0-9a-zA-Z.-_. and / characters + + if !utils.ValidFileName(path.Join(c.FilesToTransfer[i].FolderRemote, fi.Name)) { + return true, fmt.Errorf("invalid filename detected: '%s'", fi.Name) + } + } c.TotalNumberOfContents = 0 if c.FilesToTransfer != nil { c.TotalNumberOfContents += len(c.FilesToTransfer)
src/utils/utils.go+21 −0 modified@@ -438,6 +438,12 @@ func UnzipDirectory(destination string, source string) error { filePath := filepath.Join(destination, f.Name) fmt.Fprintf(os.Stderr, "\r\033[2K") fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath) + // Issue #593 conceal path traversal vulnerability + // make sure the filepath does not have ".." + filePath = filepath.Clean(filePath) + if strings.Contains(filePath, "..") { + log.Fatalf("Invalid file path %s\n", filePath) + } if f.FileInfo().IsDir() { os.MkdirAll(filePath, os.ModePerm) continue @@ -467,3 +473,18 @@ func UnzipDirectory(destination string, source string) error { fmt.Fprintf(os.Stderr, "\n") return nil } + +// ValidFileName checks if a filename is valid +// and returns true only if it all of the characters are either +// 0-9, a-z, A-Z, ., _, -, space, or / +func ValidFileName(fname string) bool { + for _, r := range fname { + if !((r >= '0' && r <= '9') || + (r >= 'a' && r <= 'z') || + (r >= 'A' && r <= 'Z') || + r == '.' || r == '_' || r == '-' || r == ' ' || r == '/') { + return false + } + } + return true +}
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
7- github.com/advisories/GHSA-ppjh-xp5v-46wcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43619ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/09/21/5ghsamailing-listWEB
- github.com/schollz/croc/commit/3f12f75fae2e844c555ec01eeba0b8474938e93aghsaWEB
- github.com/schollz/croc/issues/593ghsaWEB
- github.com/schollz/croc/pull/697ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/08/2ghsaWEB
News mentions
0No linked articles in our index yet.