Description
Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.
Published: 2026-03-18
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal (Arbitrary File Write)
Action: Patch
AI Analysis

Impact

Romeo contains a flaw in the sanitizeArchivePath routine that omits a trailing path separator check. When a specially crafted tarball is uploaded through the API, the extraction process can bypass the intended destination guard, allowing files to be written outside of the intended directory. This defect enables an attacker to modify or overwrite arbitrary files within the deployed instance, potentially compromising data integrity and confidentiality.

Affected Systems

The vulnerability affects the ctfer-io:romeo application in all versions released before 0.2.2. Deployments that accept tarfile uploads via the web API, such as those used for measuring Go coverage in GitHub Actions, are exposed. Users running Romeo 0.2.1 or earlier are at risk.

Risk and Exploitability

The CVSS base score of 8.3 indicates a high severity risk for path traversal. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack vector is a crafted tar upload to the API endpoint; successful exploitation would result in file writes beyond the intended extraction directory, potentially altering or replacing existing files.

Generated by OpenCVE AI on March 24, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Romeo to version 0.2.2 or later.

Generated by OpenCVE AI on March 24, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p799-g7vv-f279 Romeo is vulnerable to Archive Slip due to missing checks in sanitization
History

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ctfer-io:romeo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ctfer-io
Ctfer-io romeo
Vendors & Products Ctfer-io
Ctfer-io romeo

Wed, 18 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.
Title Romeo is vulnerable to Archive Slip due to missing checks in sanitization
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L'}

Subscriptions

Ctfer-io Romeo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T13:46:59.937Z

Reserved: 2026-03-16T17:35:36.695Z

Link: CVE-2026-32805

cve-icon Vulnrichment

Updated: 2026-03-19T13:46:38.632Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T23:17:30.213

Modified: 2026-03-24T21:26:26.890

Link: CVE-2026-32805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:51Z

Weaknesses