{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32805", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.695Z", "datePublished": "2026-03-18T22:24:29.102Z", "dateUpdated": "2026-03-19T13:46:59.937Z"}, "containers": {"cna": {"title": "Romeo is vulnerable to Archive Slip due to missing checks in sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"}, {"name": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263", "tags": ["x_refsource_MISC"], "url": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263"}], "affected": [{"vendor": "ctfer-io", "product": "romeo", "versions": [{"version": "< 0.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:24:29.102Z"}, "descriptions": [{"lang": "en", "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue."}], "source": {"advisory": "GHSA-p799-g7vv-f279", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:46:46.532702Z", "id": "CVE-2026-32805", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:46:59.937Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32805", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T13:46:46.532702Z"}}}], "references": [{"url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:46:38.632Z"}}], "cna": {"title": "Romeo is vulnerable to Archive Slip due to missing checks in sanitization", "source": {"advisory": "GHSA-p799-g7vv-f279", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "ctfer-io", "product": "romeo", "versions": [{"status": "affected", "version": "< 0.2.2"}]}], "references": [{"url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279", "name": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263", "name": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:24:29.102Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32805", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:46:59.937Z", "dateReserved": "2026-03-16T17:35:36.695Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T22:24:29.102Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ctfer-io:romeo:*:*:*:*:*:*:*:*", "matchCriteriaId": "34A1A13E-5E86-4A98-99D2-738F4014415D", "versionEndExcluding": "0.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Romeo gives the capability to reach high code coverage of Go \u22651.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue."}, {"lang": "es", "value": "Romeo permite alcanzar una alta cobertura de c\u00f3digo en aplicaciones Go ?1.20, ya que ayuda a medir la cobertura de c\u00f3digo en pruebas funcionales y de integraci\u00f3n dentro de GitHub Actions. Antes de la versi\u00f3n 0.2.2, la funci\u00f3n `sanitizeArchivePath` en `webserver/api/v1/decoder.go` (l\u00edneas 80-88) era vulnerable a un bypass de recorrido de ruta debido a la falta de un separador de ruta final en la comprobaci\u00f3n `strings.HasPrefix`. Un archivo tar malicioso pod\u00eda escribir archivos fuera del directorio de destino previsto. La versi\u00f3n 0.2.2 corrige el problema."}], "id": "CVE-2026-32805", "lastModified": "2026-03-24T21:26:26.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T23:17:30.213", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "romeo", "source": "cna", "vendor": "ctfer-io"}, "product": "romeo", "vendor": "ctfer-io"}], "analysis": {"en": {"generated_at": "2026-03-24T22:52:51.050284+00:00", "value": {"mitigation_remediation": ["Upgrade Romeo to version 0.2.2 or later."], "summary": {"action": "Patch", "impact": "Path Traversal (Arbitrary File Write)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ctfer-io:romeo application in all versions released before 0.2.2. Deployments that accept tarfile uploads via the web API, such as those used for measuring Go coverage in GitHub Actions, are exposed. Users running Romeo 0.2.1 or earlier are at risk.", "description_and_impact": "Romeo contains a flaw in the sanitizeArchivePath routine that omits a trailing path separator check. When a specially crafted tarball is uploaded through the API, the extraction process can bypass the intended destination guard, allowing files to be written outside of the intended directory. This defect enables an attacker to modify or overwrite arbitrary files within the deployed instance, potentially compromising data integrity and confidentiality.", "risk_and_exploitability": "The CVSS base score of 8.3 indicates a high severity risk for path traversal. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack vector is a crafted tar upload to the API endpoint; successful exploitation would result in file writes beyond the intended extraction directory, potentially altering or replacing existing files."}}}}, "created": "2026-03-19T08:55:07.882127+00:00", "updated": "2026-03-25T11:51:51.298341+00:00", "vendors": ["ctfer-io", "ctfer-io$PRODUCT$romeo"]}