radare2 Path Traversal Vulnerability in Project Deletion Allowing Arbitrary Directory Deletion

A path traversal vulnerability has been identified in radare2 versions prior to 6.1.4, specifically within the project deletion feature. This vulnerability allows local attackers to recursively delete arbitrary directories by providing absolute paths that escape the designated project directory. By crafting paths to project marker files outside the intended storage area, attackers can manipulate the deletion process to target specific directories. The deletion occurs with the permissions of the radare2 process, leading to potential loss of integrity and availability.

Impact

Exploitation of this vulnerability allows for recursive deletion of directories chosen by the attacker, with the deletion process occurring under the radare2 process's permissions. This could result in significant disruption to the user's file system and loss of important data.

Remediation

Users can update to radare2 version 6.1.4 or later, where this vulnerability has been addressed.