CVE-2025-24366: 
Wolfi vulnerability analysis and mitigation

SFTPGo, an open source event-driven file transfer solution, was found to contain a vulnerability (CVE-2025-24366) related to command execution via SSH. The vulnerability exists in the rsync command functionality, which is disabled by default and limited to local filesystem operations. The issue was discovered and disclosed on February 7, 2025, affecting versions 0.9.5 through 2.6.4 (GitHub Advisory).

The vulnerability stems from insufficient sanitization of client-provided rsync commands. When the rsync command functionality is enabled, an authenticated remote user can exploit certain rsync command options to perform unauthorized file operations with the permissions of the SFTPGo server process. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high attack complexity, low privileges required, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows authenticated attackers to read and write files with the permissions of the SFTPGo server process, potentially leading to unauthorized access to sensitive data and file system modifications. This poses significant risks to data confidentiality and integrity for systems where the rsync command functionality is enabled (GitHub Advisory).

The vulnerability has been fixed in version 2.6.5 by implementing proper validation of client-provided arguments. Users are advised to upgrade to this version or later. The fix includes checks for rsync command arguments and ensures proper sanitization of user input (GitHub Commit).