CVE-2024-12087 is a path traversal vulnerability identified in the widely used file synchronization tool rsync. The issue arises from the behavior of the --inc-recursive option, which is enabled by default for many client options and can be activated by the server even if the client does not explicitly request it. This option facilitates incremental recursive file transfers but lacks adequate symlink verification. Additionally, deduplication checks are performed on a per-file-list basis rather than globally, which allows a malicious rsync server to exploit these weaknesses to write files outside the client's intended destination directory. By crafting file paths that traverse directories, the server can place files in arbitrary locations on the client system, potentially overwriting or injecting malicious files into critical directories. The vulnerability does not require prior authentication or elevated privileges but does require user interaction in the form of initiating an rsync session with a malicious server. The impact primarily affects the integrity of client systems, as unauthorized files can be introduced or existing files overwritten. Confidentiality and availability are not directly impacted. The CVSS v3.1 base score is 6.5, reflecting a medium severity level with network attack vector, low attack complexity, no privileges required, and user interaction needed. No public exploits have been reported to date. The vulnerability was reserved in December 2024 and published in January 2025, with enrichment from CISA and Red Hat assigners. Mitigation involves patching rsync when updates become available and carefully controlling which servers clients synchronize with, especially avoiding untrusted or unknown servers. Disabling or restricting the --inc-recursive option where possible can also reduce risk.

The primary impact of CVE-2024-12087 is the potential compromise of data integrity on client systems using rsync in client-server mode. A malicious server can write arbitrary files outside the intended synchronization directory, potentially overwriting critical system or application files or planting malicious payloads. This could lead to unauthorized code execution, persistence mechanisms, or disruption of normal operations if critical files are replaced or corrupted. Since confidentiality and availability are not directly affected, the main concern is the integrity and trustworthiness of client data. Organizations relying on rsync for backup, deployment, or file synchronization may face risks of supply chain attacks or targeted compromise if they connect to untrusted servers. The ease of exploitation is moderate due to the need for user interaction and network access to a malicious server, but no authentication or privileges are required, increasing the threat surface. The scope includes any client systems running vulnerable versions of rsync with --inc-recursive enabled, which is common in many default configurations. This vulnerability could be leveraged in targeted attacks against organizations that synchronize files with external rsync servers, including cloud providers, third-party vendors, or remote offices.

1. Apply official patches or updates to rsync as soon as they are released that address CVE-2024-12087. 2. Until patches are available, disable the --inc-recursive option on clients if possible, or configure rsync clients to avoid using this option. 3. Restrict rsync client connections to trusted and verified servers only; avoid synchronizing with unknown or untrusted servers. 4. Implement network-level controls such as firewall rules or VPNs to limit rsync traffic to authorized endpoints. 5. Monitor file system changes on client machines, especially outside expected synchronization directories, to detect unauthorized file writes. 6. Use file integrity monitoring tools to alert on unexpected modifications or additions to critical directories. 7. Educate users and administrators about the risks of connecting to untrusted rsync servers and the importance of verifying server authenticity. 8. Review and harden rsync server configurations to prevent enabling --inc-recursive for clients unless explicitly required and trusted. 9. Consider alternative secure file transfer methods that provide stronger guarantees against path traversal and unauthorized writes. 10. Maintain up-to-date inventories of rsync versions deployed across the organization to prioritize remediation efforts.