A path traversal flaw exists in radare2 before version 6.1.4 that allows an attacker to read or write files outside the project directory by importing a specially crafted .zrp archive containing a symlinked notes.txt file. The flaw is a classic example of a CWE‑22 path traversal combined with a CWE‑59 relative path escape vulnerability. Attackers can bypass the directory confinement checks that radare2 normally applies to project notes, enabling them to access arbitrary files on the host file system. This capability can lead to information disclosure or unauthorized modification of data, but it does not provide direct code execution privileges.

The vulnerability affects all installations of radare2 from the start-up to version 6.1.3. The affected product is radare2 from radareorg. Users running these versions should apply the available update that releases version 6.1.4 or later, which removes the directory confinement checks for imported project notes.

The CVSS base score is 6.9, indicating a high severity due to the potential to read or alter critical files. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation at present, and it is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker delivering a malicious .zrp archive to a radare2 instance, either locally or through an interface that accepts uploads; precise exploitation requires control over the import of the archive. The vulnerability could therefore be leveraged by local users or remote users with the ability to submit .zrp files for processing.