{"id":"JLSEC-2025-327","summary":"A flaw was found in rsync","details":"A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.","modified":"2025-11-25T23:17:40.620663Z","published":"2025-11-25T22:50:06.167Z","upstream":["CVE-2024-12088"],"database_specific":{"license":"CC-BY-4.0","sources":[{"imported":"2025-11-25T22:38:07.422Z","id":"CVE-2024-12088","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12088","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-12088","published":"2025-01-14T18:15:25.643Z","modified":"2025-11-03T22:16:39.430Z"}]},"references":[{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2025:2600"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2025:7050"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2025:8385"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2024-12088"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330676"},{"type":"WEB","url":"https://kb.cert.org/vuls/id/952657"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20250131-0002/"},{"type":"WEB","url":"https://www.kb.cert.org/vuls/id/952657"},{"type":"WEB","url":"https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj"}],"affected":[{"package":{"name":"rsync_jll","ecosystem":"Julia","purl":"pkg:julia/rsync_jll?uuid=191d6b87-264a-55f5-a0e2-c8fbce9a1ce0"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.4.0+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-327.json"}}],"schema_version":"1.7.3"}