Google Cloud Researchers Uncover Flaws in Rsync File Synchronization Tool

As many as six security vulnerabilities have been disclosed in the popular Rsync file-synchronizing tool for Unix systems, some of which could be exploited to execute arbitrary code on a client.
"Attackers can take control of a malicious server and read/write arbitrary files of any connected client," the CERT Coordination Center (CERT/CC) said in an advisory. "Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt."
The shortcomings, which comprise heap-buffer overflow, information disclosure, file leak, external directory file-write, and symbolic-link race condition, are listed below -
- CVE-2024-12084 (CVSS score: 9.8) - Heap-buffer overflow in Rsync due to improper checksum length handling
- CVE-2024-12085 (CVSS score: 7.5) - Information leak via uninitialized stack contents
- CVE-2024-12086 (CVSS score: 6.1) - Rsync server leaks arbitrary client files
- CVE-2024-12087 (CVSS score: 6.5) - Path traversal vulnerability in Rsync
- CVE-2024-12088 (CVSS score: 6.5) - --safe-links option bypass leads to path traversal
- CVE-2024-12747 (CVSS score: 5.6) - Race condition in Rsync when handling symbolic links
Simon Scannell, Pedro Gallegos, and Jasiel Spelman from Google Cloud Vulnerability Research have been credited with discovering and reporting the first five flaws. Security researcher Aleksei Gorban has been acknowledged for the symbolic-link race condition flaw.
"In the most severe CVE, an attacker only requires anonymous read access to a Rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on," Red Hat Product Security's Nick Tait said.
CERT/CC also noted that an attacker could combine CVE-2024-12084 and CVE-2024-12085 to achieve arbitrary code execution on a client that has a Rsync server running.
Patches for the vulnerabilities have been released in Rsync version 3.4.0, which was made available earlier today. For users who are unable to apply the update, the following mitigations are recommended -
- CVE-2024-12084 - Disable SHA* support by compiling with CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST
- CVE-2024-12085 - Compile with -ftrivial-auto-var-init=zero to zero the stack contents
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
Free online web security scanner