CVE-2026-42448 magic-wormhole CVE debrief

Who should care

Organizations and individuals using Magic Wormhole for file transfers, particularly those using automated or scripted receivers with pre-existing output directories. System administrators managing Magic Wormhole deployments should prioritize patching to prevent potential unauthorized file writes.

Technical summary

A path traversal vulnerability exists in Magic Wormhole versions before 0.24.0. When a receiver specifies an --output directory that already exists as a directory, the application fails to properly validate file paths, potentially allowing files to be written outside the intended destination. The vulnerability requires the attacker to have established a wormhole connection (low privileges) and requires user interaction from the receiver. The attack complexity is low and can be conducted over the network, but impact is limited to low integrity impact with no confidentiality or availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade Magic Wormhole to version 0.24.0 or later to remediate this vulnerability
• Review receiver configurations to ensure --output directories are properly validated
• Monitor for any unauthorized file writes in existing output directories used with Magic Wormhole
• Verify that Magic Wormhole installations are running the patched version by checking package manager or pip list output

Evidence notes

The CVE description confirms the vulnerability affects Magic Wormhole versions prior to 0.24.0, with a path traversal occurring when the --output directory already exists. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, and low integrity impact. The vulnerability is tracked as GHSA-cf92-gfcw-6v53.

Official resources