Skip to content

Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite #499627

New issue
New issue
Open
Open
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite#499627
Labels
1.severity: securityIssues which raise a security issue, or PRs that fix one
@nixpkgs-security-tracker

Description

@nixpkgs-security-tracker
nixpkgs-security-tracker
bot
opened on Mar 13, 2026

Description

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.

Affected packages
  • magic-wormhole (0.21.1@nixos-25.11, 0.22.0@nixos-unstable)

Additional comment

Upstream advisory: https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r

Metadata

Metadata

Assignees

No one assigned

    Labels

    1.severity: securityIssues which raise a security issue, or PRs that fix one

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions