Ikmckenz

**Name of the Vulnerable Software and Affected Versions** Magic Wormhole versions 0.21.0 through 0.22.9 **Description** Magic Wormhole allows the transfer of files and directories of arbitrary size between computers. A flaw exists where receiving a file (`wormhole receive`) from a malicious party between versions 0.21.0 and before 0.23.0 could lead to the overwriting of critical local files, including `~/.ssh/authorized keys` and `.bashrc`. This could potentially compromise the receiving computer. The attack can only be initiated by the sender of the file (the party executing `wormhole send`), and the wormhole protocol excludes other parties like transit/relay servers. The issue stems from a missing receiver-side check during refactoring in version 0.21.0, which was restored in version 0.23.0. The `filename` received in a file transfer request is used to determine the file's write location. Legitimate senders compute this from the base name of the sent file, but a missing check in earlier versions allowed malicious senders to control the filename and potentially overwrite critical system files. **Recommendations** Versions prior to 0.23.0 should be upgraded to version 0.23.0 or later. As a temporary workaround, use the `--output` or `-o` option with `wormhole receive` to override the sender's filename. For example: `wormhole receive -o shopping-list.txt` will write the file to `shopping-list.txt` regardless of the sender's intent. This option must be used with every invocation of `wormhole receive` / `wormhole rx` to be effective.