CVE-2024-25711 - Exploiting a Directory Traversal Vulnerability in diffoscope via GPG Embedded Filenames

Published: June 2024
Severity: High
Affected Product: diffoscope versions before 256

Introduction

In the world of software security, tools that analyze files should be extremely careful about trusting user input—especially when it comes to file paths. Recently, a serious vulnerability (CVE-2024-25711) was discovered in diffoscope, a popular and powerful tool for in-depth file comparison. This vulnerability allows attackers to read *any* file on the host machine, such as private SSH keys, simply by providing a specially crafted encrypted file.

In this post, we'll break down what CVE-2024-25711 is, how it works, see the exploit in code, and discuss what you should do to stay safe.

What is diffoscope?

diffoscope is an advanced file comparison tool, widely used for visualizing differences between files, packages, or archives. It automatically unpacks containers (like TARs, ZIPs, and others) and shows detailed diff outputs—even for binary or deeply nested files. It’s very useful for reproducible software builds.

How Does the Vulnerability Work?

diffoscope can compare encrypted GPG files, and, for convenience, it sometimes tells GPG to restore files using their embedded original filenames. This is done by passing the --use-embedded-filenames flag to GnuPG (gpg).

Attackers can create a malicious GPG file with an embedded filename like ../../../../.ssh/id_rsa. When diffoscope decrypts it, GPG will write the output to that file (overwriting it if it's writable) or, crucially, diffoscope might then read that sensitive file and reveal its content during the comparison process.

The Core Problem

diffoscope blindly trusts the embedded filename in the encrypted file. So if the attacker’s GPG file says “restore to ../../../../.ssh/id_rsa”, diffoscope goes along with it.

Example Scenario

1. An attacker crafts a GPG file with embedded filename ../../.ssh/id_rsa.
2. diffoscope compares this file, and when it extracts the content, it writes to the target path—here, the victim’s SSH private key.

The attacker can now see the private SSH key (or *any* other file) as part of the output.

> In short: Diffoscope lets GPG write sensitive files (via directory traversal) because it did not sanitize or check the embedded filename.

Here is a simplified Python snippet, inspired by how diffoscope interacts with GPG

import subprocess

def extract_gpg(file_path):
    # BAD: --use-embedded-filenames allows directory traversal attacks
    command = [
        "gpg",
        "--batch",
        "--yes",
        "--output", "-",  # Output to stdout, but --use-embedded-filenames overrides this!
        "--use-embedded-filenames",
        "-d", file_path
    ]
    return subprocess.run(command, capture_output=True).stdout

If the GPG file includes a tricky embedded filename, e.g., ../../.ssh/id_rsa, this can cause serious harm.

Prerequisites

- Attacker gets the victim to run diffoscope on a malicious GPG file, or tricks a CI/CD pipeline that uses diffoscope.

Attacker crafts a GPG file

- Sets the embedded filename to something sensitive (like ../../.ssh/id_rsa).
- Can use gpg --output ../../.ssh/id_rsa --encrypt sensitivefile.

diffoscope uses gpg --use-embedded-filenames

- GPG writes output as specified by the embedded filename, potentially *overwriting* or leaking files outside of the current directory.

Attacker obtains output

- If diffoscope’s report (or temporary files) includes contents of the targeted file, the attacker has succeeded.

Here's how you could create a malicious GPG file

# On attacker's machine
echo "Attack data" > secret_data
# Create a GPG file with embedded filename trick
gpg --batch --yes --output ../../.ssh/id_rsa --encrypt --recipient victim@example.com secret_data

Send this GPG file to the victim and get them to run

diffoscope safe.pdf attacker_file.gpg

If diffoscope is vulnerable, the output might include contents of ~/.ssh/id_rsa.

References & Further Reading

- Original CVE Report
- diffoscope issue tracker
- diffoscope v256 release notes (fixed in >= 256)
- GnuPG documentation

Upgrade diffoscope: Make sure you are running version 256 or newer.

- Be cautious with files from untrusted sources: Don’t analyze files from unknown or untrusted senders.
- If you use diffoscope in automated systems (like CI/CD pipelines), ensure your environment is updated.

> Technical note: The fix involves sanitizing the embedded filename and preventing directory traversal by default—even when using the --use-embedded-filenames GPG flag.

Summary

CVE-2024-25711 is a classic directory traversal bug with a modern twist: the vector is a file’s *metadata* (its original filename inside a GPG wrapper), and the impact can be total file disclosure. If you use diffoscope, update to version 256 or newer right now.

Timeline

Published on: 02/27/2024 02:15:06 UTC
Last modified on: 03/04/2025 12:24:19 UTC