Primary

Context

Aerc Directory Traversal Vulnerability in Attachment Handling

Vulnerability

A directory traversal vulnerability has been identified in Aerc versions prior to the commit 93bec0d. The issue arises in the 'commands/msgview/open.go' file, where the application improperly concatenates paths for attachment filenames. This flaw allows for traversal sequences to be introduced, potentially leading to unauthorized file access.

Impact

Exploitation of this vulnerability could result in directory traversal, allowing attackers to access files and directories outside of the intended scope.

Reproduction

The vulnerability can be reproduced by opening an attachment with a filename that includes directory traversal sequences. Aerc will attempt to process the attachment by concatenating the path, which can lead to accessing unintended files or directories.

Remediation

Users can update to the latest version of Aerc, where this vulnerability has been addressed.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

7.4

remediation

0.0

relevance

0.2

threat

4.8

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

7.4

remediation

0.0

relevance

0.2

threat

4.8

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Aerc Directory Traversal Vulnerability in Attachment Handling

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating