CVE-2023-43620
Description
An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Croc file-transfer tool (≤9.6.5) allows senders to embed ANSI/CSI escape sequences in filenames, which can compromise a receiver's terminal when displayed.
Vulnerability
Overview
CVE-2023-43620 is a vulnerability in Croc, a command-line file transfer utility, affecting versions through 9.6.5 [1][3][4]. The issue lies in how Croc handles filenames received during transfers: a malicious sender can embed ANSI or CSI (Control Sequence Introducer) escape sequences within a filename [1][2]. Because Croc does not sanitize or strip these sequences before presenting them to the terminal, the receiver's terminal interprets the escape codes, potentially executing arbitrary control commands [1].
Exploitation
To exploit this vulnerability, an attacker only needs to act as a sender and transfer a file whose name contains crafted escape sequences; no special network position or authentication bypass is required beyond what is normal for a Croc transfer [1]. When the receiver lists or outputs the filename (e.g., during file download, progress display, or confirmation prompts), the terminal processes the escape sequences. This attack vector is particularly dangerous because it targets the terminal itself, which is the primary user interface for this CLI tool, and does not require any user action beyond accepting the file transfer in the normal workflow [1][4].
Impact
Successful exploitation can allow a remote attacker to execute arbitrary terminal commands, inject keystrokes, alter displayed output, or otherwise compromise the receiver's terminal session [1]. Depending on the terminal emulator and the privileges of the receiving user, this could lead to information disclosure, unauthorized file access, or further system compromise. The impact is amplified because Croc's cross-platform nature means this issue affects Linux, macOS, and Windows terminal applications, albeit with varying effectiveness depending on the terminal emulator's support for ANSI/CSI sequences [1][4].
Mitigation
As of the disclosure date, the Croc upstream author acknowledged the issue but had not released a patch due to limited resources [1][2]. A pull request proposing a fix that quits the client when dangerous paths are discovered has been submitted but not yet merged [2]. Users are advised to carefully review filenames from untrusted senders, use terminal emulators that can sanitize or warn about escape sequences, or consider alternative file transfer tools until an official fix is available [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/schollz/croc/v9Go | < 9.6.16 | 9.6.16 |
Affected products
4- Croc/Crocdescription
- osv-coords3 versions
< 10.0.0-r0+ 2 more
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 9.6.16
Patches
13f12f75fae2eMerge pull request #697 from schollz/issue593
2 files changed · +37 −0
src/croc/croc.go+16 −0 modified@@ -1092,6 +1092,22 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer c.TotalNumberFolders = senderInfo.TotalNumberFolders c.FilesToTransfer = senderInfo.FilesToTransfer + for i, fi := range c.FilesToTransfer { + // Issues #593 - sanitize the sender paths and prevent ".." from being used + c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote) + if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") { + return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) + } + // Issues #593 - disallow specific folders like .ssh + if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") { + return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) + } + // Issue #595 - disallow filenames with anything but 0-9a-zA-Z.-_. and / characters + + if !utils.ValidFileName(path.Join(c.FilesToTransfer[i].FolderRemote, fi.Name)) { + return true, fmt.Errorf("invalid filename detected: '%s'", fi.Name) + } + } c.TotalNumberOfContents = 0 if c.FilesToTransfer != nil { c.TotalNumberOfContents += len(c.FilesToTransfer)
src/utils/utils.go+21 −0 modified@@ -438,6 +438,12 @@ func UnzipDirectory(destination string, source string) error { filePath := filepath.Join(destination, f.Name) fmt.Fprintf(os.Stderr, "\r\033[2K") fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath) + // Issue #593 conceal path traversal vulnerability + // make sure the filepath does not have ".." + filePath = filepath.Clean(filePath) + if strings.Contains(filePath, "..") { + log.Fatalf("Invalid file path %s\n", filePath) + } if f.FileInfo().IsDir() { os.MkdirAll(filePath, os.ModePerm) continue @@ -467,3 +473,18 @@ func UnzipDirectory(destination string, source string) error { fmt.Fprintf(os.Stderr, "\n") return nil } + +// ValidFileName checks if a filename is valid +// and returns true only if it all of the characters are either +// 0-9, a-z, A-Z, ., _, -, space, or / +func ValidFileName(fname string) bool { + for _, r := range fname { + if !((r >= '0' && r <= '9') || + (r >= 'a' && r <= 'z') || + (r >= 'A' && r <= 'Z') || + r == '.' || r == '_' || r == '-' || r == ' ' || r == '/') { + return false + } + } + return true +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-364c-vvqx-446cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43620ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/09/21/5ghsamailing-listWEB
- github.com/schollz/croc/commit/3f12f75fae2e844c555ec01eeba0b8474938e93aghsaWEB
- github.com/schollz/croc/issues/595ghsaWEB
- github.com/schollz/croc/pull/697ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/08/2ghsaWEB
News mentions
0No linked articles in our index yet.