CVE-2024-12088

MEDIUM 6.5

Rsync: --safe-links option bypass leads to path traversal

CVSS Score

6.5

EPSS Score

2.9%

EPSS Percentile

86th

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

CWE	CWE-22
Published	Jan 14, 2025
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

Red Hat / Red Hat Enterprise Linux 10

All versions affected

Red Hat / Red Hat Enterprise Linux 8

All versions affected

Red Hat / Red Hat Enterprise Linux 9

All versions affected

Red Hat / Red Hat Enterprise Linux 9

All versions affected

Red Hat / Red Hat Discovery 1.14

All versions affected

Red Hat / Red Hat Enterprise Linux 6

All versions affected

Red Hat / Red Hat Enterprise Linux 7

All versions affected

Red Hat / Red Hat OpenShift Container Platform 4

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHBA-2025:6470 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:2600 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:7050 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:8385 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-12088 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2330676 kb.cert.org: https://kb.cert.org/vuls/id/952657 github.com: https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj security.netapp.com: https://security.netapp.com/advisory/ntap-20250131-0002/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html kb.cert.org: https://www.kb.cert.org/vuls/id/952657

Credits

Red Hat would like to thank Jasiel Spelman (Google), Pedro Gallegos (Google), and Simon Scannell (Google) for reporting this issue.