CVE-2026-32805 is a path traversal vulnerability classified under CWE-22 affecting the ctfer-io romeo project, a tool designed to facilitate high code coverage measurement for Go applications (version ≥1.20) within GitHub Actions. The vulnerability resides in the sanitizeArchivePath function located in webserver/api/v1/decoder.go (lines 80-88) in romeo versions prior to 0.2.2. The function attempts to restrict extracted archive paths to a designated directory by checking if the path has a specific prefix using strings.HasPrefix. However, it fails to include a trailing path separator in this check, allowing crafted tar archive entries with relative path components (e.g., ../) to bypass the restriction. Consequently, an attacker can create a malicious tar archive that, when processed by romeo, writes files outside the intended extraction directory. This can lead to overwriting critical files, planting malicious payloads, or disrupting application behavior. The vulnerability is remotely exploitable without authentication or user interaction, as it only requires supplying a crafted archive to the vulnerable romeo instance. The CVSS 4.0 base score is 8.3 (high), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, but with high impact on confidentiality and availability, and limited scope change. No known exploits are reported in the wild as of publication. The issue was addressed in romeo version 0.2.2 by correcting the path validation logic to properly enforce directory restrictions during archive extraction.

The impact of CVE-2026-32805 is significant for organizations using the vulnerable versions of romeo in their CI/CD pipelines, especially those relying on GitHub Actions for Go application testing and coverage measurement. Exploitation can lead to arbitrary file writes outside the intended directory, potentially overwriting system or application files, injecting malicious code, or disrupting build and deployment processes. This could result in compromised build environments, supply chain attacks, or denial of service. Since romeo is used in automated testing workflows, attackers could leverage this vulnerability to persist malicious artifacts within build environments or manipulate test results. The lack of authentication and user interaction requirements increases the risk, especially in environments where untrusted archives might be processed. Although no known exploits exist currently, the vulnerability's high severity and ease of exploitation make it a critical risk for affected organizations.

To mitigate this vulnerability, organizations should immediately upgrade romeo to version 0.2.2 or later, where the path traversal issue is fixed. Until upgrading is possible, implement strict validation and sanitization of all archive inputs before processing, including rejecting archives containing path traversal sequences such as '../'. Employ runtime monitoring to detect unexpected file writes outside designated directories during archive extraction. Restrict the execution environment of romeo to minimal privileges and isolated containers to limit potential damage from exploitation. Additionally, review and harden CI/CD pipeline permissions to prevent unauthorized injection of malicious archives. Incorporate security scanning tools that detect path traversal patterns in archives and code. Finally, maintain awareness of romeo usage across the organization to ensure all instances are patched promptly.