CVE-2026-32733
Received Received - Intake
Path Traversal in Halloy IRC DCC Send Allows Arbitrary File Write

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32733
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
halloy halloy to 2026.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Halloy IRC application, which is written in Rust. Before a specific code commit, the application did not sanitize filenames received via DCC SEND requests. This allowed a remote IRC user to send a filename containing path traversal sequences (e.g., ../../.ssh/authorized_keys), causing the file to be saved outside the intended directory.

If the auto-accept feature was enabled, the victim did not need to interact for the malicious file to be saved, making exploitation easier. The issue was fixed by introducing a shared filename sanitization function in the code.

Impact Analysis

This vulnerability can lead to unauthorized file writes outside the user's designated save directory. An attacker could overwrite or create files in sensitive locations on the victim's system by exploiting path traversal in filenames.

Such unauthorized file writes could compromise system integrity, potentially allowing attackers to modify configuration files or inject malicious content without user interaction if auto-accept is enabled.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, ensure that you are using a version of Halloy IRC application that includes the commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 or later, as this commit sanitizes filenames in incoming DCC SEND requests to prevent path traversal.

Additionally, consider disabling the auto-accept feature for DCC SEND requests to prevent zero-interaction exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart