GHSA-xjvp-7243-rg9h: Wish has SCP Path Traversal that allows arbitrary file read/write

April 18, 2026

The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol.

References

github.com/advisories/GHSA-xjvp-7243-rg9h
github.com/charmbracelet/wish
github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h

Code Behaviors & Features

Detect and mitigate GHSA-xjvp-7243-rg9h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →