Romeo is vulnerable to Archive Slip due to missing checks in sanitization
Description
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the sanitizeArchivePath function in webserver/api/v1/decoder.go (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-32805 is a path traversal vulnerability in Romeo's archive extraction, allowing an attacker to write files outside the target directory via a crafted tar archive.
Vulnerability
CVE-2026-32805 is a path traversal vulnerability in Romeo, a tool for measuring code coverage in Go applications. The flaw resides in the sanitizeArchivePath function within webserver/api/v1/decoder.go. This function uses strings.HasPrefix(v, filepath.Clean(d)) without appending a trailing path separator to the destination directory, leading to a prefix collision. For example, a tar entry named ../extract-outputevil/pwned bypasses the check, allowing extraction to an unintended location [1][3].
Exploitation
To exploit this vulnerability, an attacker must provide a crafted tar archive to the webserver's download endpoint. The archive contains malicious entries with path traversal names. The attacker needs write access to the PersistentVolumeClaim (PVC) or the ability to upload the archive to the coverage mount path [3]. The Unzip function processes the archive and, due to the flawed sanitization, writes files outside the intended destination directory.
Impact
Successful exploitation allows an attacker to write arbitrary files to the filesystem, potentially overwriting critical system files or configuration data. This could lead to privilege escalation, code execution, or denial of service, depending on the permissions of the Romeo process [1].
Mitigation
The vulnerability is fixed in Romeo version 0.2.2. The fix appends os.PathSeparator to the cleaned destination path in the HasPrefix check, preventing the prefix collision [4]. Users should upgrade to version 0.2.2 or later to mitigate the risk. No workarounds are documented.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ctfer-io/romeo/webserverGo | < 0.2.2 | 0.2.2 |
Affected products
2- ctfer-io/romeov5Range: < 0.2.2
Patches
1c2ebcfb9f305fix: missing check on archive path sanitization (#671)
1 file changed · +8 −7
webserver/api/v1/decoder.go+8 −7 modified@@ -77,14 +77,15 @@ func (dec *Decompressor) Unzip(r *zip.Reader, cd string) (string, error) { return outDir, nil } -func sanitizeArchivePath(d, t string) (v string, err error) { - v = filepath.Join(d, t) - if strings.HasPrefix(v, filepath.Clean(d)) { - return v, nil - } - return "", &ErrPathTainted{ - Path: t, +// Based upon https://security.snyk.io/research/zip-slip-vulnerability#expandable-socPI9fFAJ-title +func sanitizeArchivePath(destination, filePath string) (destpath string, err error) { + destpath = filepath.Join(destination, filePath) + if !strings.HasPrefix(destpath, filepath.Clean(destination)+string(os.PathSeparator)) { + return destpath, &ErrPathTainted{ + Path: destination, + } } + return } func (dec *Decompressor) copyTo(f *zip.File, filePath string) error {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-p799-g7vv-f279ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32805ghsaADVISORY
- github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263ghsax_refsource_MISCWEB
- github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.