CVE-2026-32805

Name of the Vulnerable Software and Affected Versions Romeo versions prior to 0.2.2

Description Romeo, a Go code coverage tool, contains a path traversal flaw in the sanitizeArchivePath function located in webserver/api/v1/decoder.go (lines 80-88). This is due to a missing trailing path separator in the strings.HasPrefix check, allowing a crafted tar archive to write files outside the intended destination directory. The function sanitizeArchivePath is called within the Unzip function and subsequently by the Decode function during the execution of the webserver CLI command download. The issue arises because the strings.HasPrefix check does not account for a trailing forward slash in the directory prefix, leading to a directory name prefix collision. This allows an attacker to bypass the intended security measures and write files to arbitrary locations. Successful exploitation could lead to arbitrary file write access on the system running the webserver CLI, potentially enabling remote code execution through modifications to shell configuration files, SSH authorized keys, or Kubernetes configuration files. The default ReadWriteMany PVC access mode expands the attack surface, as any pod with access to the PVC can inject the malicious payload.

Recommendations Update to Romeo version 0.2.2 or later.