Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction.
Advisories for Golang/Github.com/Schollz/Croc package
2023
Cros secrets may be disclosed to untrusted relay
An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.
Croc sender may send dangerous new files to receiver
An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file.
Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device
An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.
Croc requires senders to provide local IP addresses in cleartext
An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message.
Croc may expose secret to local users
An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.