Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed

GHSA-cf92-gfcw-6v53 · CVE-2026-42448

Published May 6, 2026 · Modified Jun 8, 2026

Description

A receiver who specifies "--output

" where that output directory currently exists (as a directory).

0.24.0 will contain the patch

Ensure local target directories specified by "--output" do not already exist

Private email and Signal communications from a user.
Magic Wormhole thanks @marduc812

Ready to move

Free, no credit card | First findings in minutes