CVE-2026-32805

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the `sanitizeArchivePath` function in `webserver/api/v1/decoder.go` (lines 80-88) is vulnerable to a path traversal bypass due to a missing trailing path separator in the `strings.HasPrefix` check. A crafted tar archive can write files outside the intended destination directory. Version 0.2.2 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263	Patch
https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279	Exploit Vendor Advisory
https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ctfer-io:romeo:*:*:*:*:*:*:*:*

History

24 Mar 2026, 21:26

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263 -~~	() https://github.com/ctfer-io/romeo/commit/c2ebcfb9f305fd5f6ef68858de82507dbac10263 - Patch
References	~~() https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279 -~~	() https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:ctfer-io:romeo::::::::
Summary		(es) Romeo permite alcanzar una alta cobertura de código en aplicaciones Go ?1.20, ya que ayuda a medir la cobertura de código en pruebas funcionales y de integración dentro de GitHub Actions. Antes de la versión 0.2.2, la función `sanitizeArchivePath` en `webserver/api/v1/decoder.go` (líneas 80-88) era vulnerable a un bypass de recorrido de ruta debido a la falta de un separador de ruta final en la comprobación `strings.HasPrefix`. Un archivo tar malicioso podía escribir archivos fuera del directorio de destino previsto. La versión 0.2.2 corrige el problema.
First Time		Ctfer-io Ctfer-io romeo

19 Mar 2026, 14:16

Type	Values Removed	Values Added
References	~~() https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279 -~~	() https://github.com/ctfer-io/romeo/security/advisories/GHSA-p799-g7vv-f279 -

18 Mar 2026, 23:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 23:17

Updated : 2026-03-24 21:26

NVD link : CVE-2026-32805

Mitre link : CVE-2026-32805

CVE.ORG link : CVE-2026-32805

JSON object : View

Products Affected

ctfer-io

romeo

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10