CVE-2026-32805: Romeo is vulnerable to Archive Slip due to missing checks in sanitization

March 16, 2026 (updated March 19, 2026)

The sanitizeArchivePath function in webserver/api/v1/decoder.go (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory.

References

github.com/advisories/GHSA-p799-g7vv-f279
github.com/ctfer-io/romeo
github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263
github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279
nvd.nist.gov/vuln/detail/CVE-2026-32805

Code Behaviors & Features

Detect and mitigate CVE-2026-32805 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →