VYPR
High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 19, 2026

Romeo is vulnerable to Archive Slip due to missing checks in sanitization

CVE-2026-32805

Description

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the sanitizeArchivePath function in webserver/api/v1/decoder.go (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/ctfer-io/romeo/webserverGo
< 0.2.20.2.2

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.