Iifiigii

**Name of the Vulnerable Software and Affected Versions** OctoRPKI (affected versions not specified) **Description** The issue allows a repository to create a file that can be written to disk outside the base cache folder due to a failure to escape a URI with a filename containing "..". This could enable remote code execution on the host machine running OctoRPKI. The vulnerability is related to directory traversal attacks, where the `ExtractPathManifest` function permits file paths containing relative directory components (".."), allowing files to reference arbitrary locations on the filesystem. For example, a repository could create a file using the `rsync://example.org/repo/../../etc/cron.daily/evil.roa` URI. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.