What vulnerabilities were found in the Rsync file synchronization tool?

Five significant vulnerabilities were discovered in Rsync version 3.2.7 and earlier, including remote code execution capabilities, information leakage, and file system manipulation vectors.

What is CVE-2024-12084?

CVE-2024-12084 is a Critical Heap Buffer Overflow vulnerability in checksum parsing with a CVSS score of 9.8. It occurs during checksum processing by the daemon. The sum2 buffer is fixed at 16 bytes, but the protocol allows writing up to MAX_DIGEST_LEN bytes (often 64 for SHA256), enabling overwriting up to 48 bytes past the buffer limit.

What is CVE-2024-12085?

CVE-2024-12085 is an Information Leak vulnerability with a CVSS score of 7.5. It leaks uninitialized stack memory that can contain pointers to heap objects, stack cookies, and return pointers, allowing attackers to defeat Address Space Layout Randomization (ASLR).

What is CVE-2024-12087?

CVE-2024-12087 is a Symbolic Link Directory Escape vulnerability with a CVSS score of 6.5. It allows a server to make a client write files outside of the destination directory. This works when symbolic link syncing is enabled (via -l or --archive flags).

What is CVE-2024-12088?

CVE-2024-12088 is a --safe-links Bypass vulnerability with a CVSS score of 6.5. It circumvents a security feature designed to prevent symbolic links from pointing outside the destination directory by exploiting incomplete path validation that doesn't consider nested symbolic links.

What is CVE-2024-12086?

CVE-2024-12086 is a Server Leaks Arbitrary Client Files vulnerability with a CVSS score of 6.1. It enables a malicious server to exfiltrate any file from a connecting client's machine by taking advantage of path traversal issues in file comparison handling.

When were these Rsync vulnerabilities reported and fixed?

The vulnerabilities were reported on October 29, 2024, fixed on January 14, 2025, and publicly disclosed on February 19, 2025.

Advisory

Google security research reports multiple RSync flaws, at least one critical

Q: How serious is the combined threat of these Rsync vulnerabilities?

The most severe issues (CVE-2024-12084 and CVE-2024-12085), when combined, allow a client with only anonymous read access to execute arbitrary code on an Rsync server. Researchers developed a reliable proof-of-concept exploit targeting Debian 12 systems running Rsync 3.2.7.

published: Feb. 26, 2025

Take action: If you are using Rsync, especially if exposed to the internet and with anonymous access - update immediately.

Learn More

A comprehensive security report has revealed five significant vulnerabilities in the widely-used Rsync file synchronization tool. These vulnerabilities, affecting Rsync version 3.2.7 and earlier, include remote code execution capabilities, information leakage, and file system manipulation vectors.

The most severe issues include a heap buffer overflow and an information leak that, when combined, allow a client with only anonymous read access to execute arbitrary code on an Rsync server. Researchers developed a reliable proof-of-concept exploit targeting Debian 12 systems running Rsync 3.2.7.

Vulnerability summary

CVE-2024-12084 (CVSS score 9.8) - Heap Buffer Overflow in Checksum Parsing (Critical). Occurs during checksum processing by the daemon. The sum2 buffer is fixed at 16 bytes, but the protocol allows writing up to MAX_DIGEST_LEN bytes (often 64 for SHA256). Enables overwriting up to 48 bytes past the buffer limit.
CVE-2024-12085 (CVSS score 7.5) - Information Leak via Uninitialized Stack Contents. Leaks uninitialized stack memory that can contain pointers to heap objects, stack cookies, and return pointers. Allows attackers to defeat Address Space Layout Randomization (ASLR).
CVE-2024-12087 (CVSS score 6.5) - Symbolic Link Directory Escape. Allows server to make client write files outside of destination directory. Works when symbolic link syncing is enabled (via -l or --archive flags)
CVE-2024-12088 (CVSS score 6.5) --safe-links Bypass. Circumvents security feature designed to prevent symbolic links from pointing outside destination directory. Exploits incomplete path validation that doesn't consider nested symbolic links
CVE-2024-12086 (CVSS score 6.1) - Server Leaks Arbitrary Client Files. Enables a malicious server to exfiltrate any file from a connecting client's machine. Takes advantage of path traversal issues in file comparison handling.

The vulnerabilities were reported on October 29, 2024, fixed on January 14, 2025 (likely 2025), and publicly disclosed on February 19, 2025. Patches are available in Rsync 3.2.8 and can be found at the Samba download page.

Users are strongly advised to update their Rsync installations immediately to mitigate these serious security risks, especially on systems where Rsync runs as a daemon with anonymous access enabled.

Google security research reports multiple RSync flaws, at least one critical