Description
Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem paths and probe arbitrary files.
Published: 2026-06-10
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw in the IsfServer component of Ghidra, where client‑supplied namespace strings are used directly in file system operations without validation. Remote attackers can communicate over the listening TCP port, craft protocol messages containing traversal sequences, and obtain directory listings or read arbitrary file contents. This flaw results in information disclosure and potential exposure of sensitive configuration or source files, impacting confidentiality.

Affected Systems

The affected product is Ghidra from the National Security Agency, versions earlier than 12.2. No specific sub‑version ranges are listed, so any release before 12.2 contains the flaw.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in CISA KEV, suggesting it has not yet been targeted by known exploits. Attackers can exploit the flaw remotely by connecting to port 54321 and sending crafted protobuf messages; no authentication is required, making the attack surface wide and accessible from any network host with connectivity to the Ghidra instance.

Generated by OpenCVE AI on June 10, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghidra to version 12.2 or later
  • Disable or restrict access to the IsfServer listening port 54321, for example by firewalling or running Ghidra behind a reverse proxy
  • Apply network segmentation to limit attacker reach to systems running the vulnerable Ghidra service
  • Ensure that any custom namespace strings are validated or sanitized before use if the upgrade is not immediately feasible

Generated by OpenCVE AI on June 10, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem paths and probe arbitrary files.
Title Ghidra < 12.2 - Unauthenticated Path Traversal in Debugger ISF Server
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-22
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:08:48.607Z

Reserved: 2026-06-08T15:20:09.274Z

Link: CVE-2026-52756

cve-icon Vulnrichment

Updated: 2026-06-10T14:05:42.945Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:35.880

Modified: 2026-06-10T15:16:41.173

Link: CVE-2026-52756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses