CVE-2023-43621
Description
An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Croc file transfer tool exposes the shared secret on the command line, allowing local users to read it via process listing.
Vulnerability
Croc through version 9.6.5 passes the shared secret (code phrase) as a command-line argument. This makes the secret visible to any local user who can list running processes and their arguments, e.g., via ps aux or reading /proc/[pid]/cmdline [1][2]. The shared secret is used to establish an end-to-end encrypted channel using PAKE (Password Authenticated Key Exchange) [3].
Exploitation
An attacker with local access to the system—no special privileges required—can observe the command-line arguments of any process owned by another user. By capturing the croc process's arguments, the attacker obtains the shared secret. This attack is trivial to execute on multi-user systems or shared environments [1].
Impact
With the shared secret, an attacker can impersonate a legitimate transfer participant, intercept file transfers, or perform man-in-the-middle attacks. Since the secret is the root of trust for the PAKE-based encryption, its disclosure completely undermines the security of the file transfer [1][3].
Mitigation
The recommended fix is to read the shared secret from an environment variable (e.g., CROC_SECRET) instead of the command line. Pull request #701 implements this change [4]. Users should update to a version that includes this fix or avoid passing the secret on the command line by using the environment variable. No official patch release has been announced as of the publication date, but the upstream project has accepted the fix [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/schollz/croc/v9Go | < 9.6.16 | 9.6.16 |
Affected products
4- Croc/Crocdescription
- osv-coords3 versions
< 10.0.0-r0+ 2 more
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 10.0.0-r0
- (no CPE)range: < 9.6.16
Patches
1863dabb93a27Merge pull request #701 from schollz/issue598
1 file changed · +24 −0
src/cli/cli.go+24 −0 modified@@ -321,6 +321,18 @@ func send(c *cli.Context) (err error) { // save the config saveConfig(c, crocOptions) + // if operating system is UNIX, then use environmental variable to set the code + if runtime.GOOS == "linux" { + cr.Options.SharedSecret = os.Getenv("CROC_SECRET") + if cr.Options.SharedSecret == "" { + fmt.Printf(`To use croc you need to set a code phrase using your environmental variables: + +export CROC_SECRET="yourcodephrasetouse" + `) + os.Exit(0) + } + } + err = cr.Send(minimalFileInfos, emptyFoldersToTransfer, totalNumberFolders) return @@ -536,6 +548,18 @@ func receive(c *cli.Context) (err error) { log.Debugf("wrote %s", configFile) } + // if operating system is UNIX, then use environmental variable to set the code + if runtime.GOOS == "linux" { + cr.Options.SharedSecret = os.Getenv("CROC_SECRET") + if cr.Options.SharedSecret == "" { + fmt.Printf(`To use croc you need to set a code phrase using your environmental variables: + + export CROC_SECRET="yourcodephrasetouse" + `) + os.Exit(0) + } + } + err = cr.Receive() return }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-7g3v-4ggr-xvjfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43621ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/09/21/5ghsamailing-listWEB
- github.com/schollz/croc/commit/863dabb93a271f41b3431c4384357e1856a69533ghsaWEB
- github.com/schollz/croc/issues/598ghsaWEB
- github.com/schollz/croc/pull/701ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/08/2ghsaWEB
News mentions
0No linked articles in our index yet.