Description
Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

Halloy, an IRC client coded in Rust, suffered from a path traversal flaw in its DCC receive flow. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, filenames supplied by an incoming DCC SEND request were not sanitized, allowing an attacker to embed traversal characters such as ../../.ssh/authorized_keys. This weakness, classified as CWE‑22 (Path Traversal), would cause the client to write the file outside the configured save directory, enabling overwriting of arbitrary files on the victim’s file system. The impact is a remote arbitrary file write with potential to compromise confidentiality, integrity, or availability of the victim’s data.

Affected Systems

The vulnerability applies to all releases of Halloy before the specified commit, regardless of the operating system. Users running an older Halloy version and enabling automatic acceptance of DCC file transfers are at risk; any user who allows incoming DCC SEND requests without manual confirmation is susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score of less than 1 % suggests low current exploitation likelihood. Halloy is not listed in the CISA KEV catalog. Exploitation requires a victim to be connected to an IRC server that can send a DCC SEND request; the attacker must craft a malicious filename. With auto‑accept enabled, no user interaction is required, making remote exploitation straightforward. Attackers could potentially overwrite sensitive files such as authorized_keys, leading to privilege escalation or unauthorized access.

Generated by OpenCVE AI on March 23, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Halloy to a version that includes commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6 or later.
  • If an update is not feasible, disable automatic DCC file acceptance or enforce manual approval of all DCC SEND requests.

Generated by OpenCVE AI on March 23, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Halloy
Halloy halloy
CPEs cpe:2.3:a:halloy:halloy:*:*:*:*:*:*:*:*
Vendors & Products Halloy
Halloy halloy
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Squidowl
Squidowl halloy
Vendors & Products Squidowl
Squidowl halloy

Fri, 20 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function.
Title Halloy has a file transfer path traveral vulnerability
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Halloy Halloy
Squidowl Halloy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T02:06:30.856Z

Reserved: 2026-03-13T15:02:00.627Z

Link: CVE-2026-32733

cve-icon Vulnrichment

Updated: 2026-03-24T02:06:24.819Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:44.703

Modified: 2026-03-23T19:21:36.567

Link: CVE-2026-32733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:14Z

Weaknesses