GHSA-p799-g7vv-f279: Romeo is vulnerable to Archive Slip due to missing checks in sanitization

March 16, 2026

The sanitizeArchivePath function in webserver/api/v1/decoder.go (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory.

References

github.com/advisories/GHSA-p799-g7vv-f279
github.com/ctfer-io/romeo
github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263
github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279

Code Behaviors & Features

Detect and mitigate GHSA-p799-g7vv-f279 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →