CVE-2024-12088

Name: CVE-2024-12088
Creator: NVD / NIST
Published: 2025-01-14T18:15:25.643+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 4.58%

Last modified Jun 25, 2026

CVE-2024-12088 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. EPSS estimates a 4.58% chance of exploitation in the next 30 days.

Description

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

4.58%

90.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Samba	Rsync	<= 3.3.0
Redhat	Discovery	1.14
Redhat	Openshift Container Platform	4.0
Redhat	Enterprise Linux	6.0
Redhat	Enterprise Linux	7.0
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux	9.0
Redhat	Enterprise Linux	10.0
Redhat	Enterprise Linux Eus	9.6
Redhat	Enterprise Linux For Arm 64	8.0_aarch64
Redhat	Enterprise Linux For Arm 64	9.0_aarch64
Redhat	Enterprise Linux For Arm 64 Eus	9.6_aarch64
Redhat	Enterprise Linux For Ibm Z Systems	8.0_s390x
Redhat	Enterprise Linux For Ibm Z Systems	9.0_s390x
Redhat	Enterprise Linux For Ibm Z Systems Eus	9.6_s390x
Redhat	Enterprise Linux For Power Little Endian	8.0_ppc64le
Redhat	Enterprise Linux For Power Little Endian	9.0_ppc64le
Redhat	Enterprise Linux For Power Little Endian Eus	9.6_ppc64le
Redhat	Enterprise Linux Server Aus	9.6
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	9.6_ppc64le
Redhat	Enterprise Linux Update Services For Sap Solutions	9.6
Archlinux	Arch Linux	All versions
Gentoo	Linux	All versions
Nixos	Nixos	< 24.11
Novell	Suse Linux	All versions
Tritondatacenter	Smartos	< 20250123
Almalinux	Almalinux	8.0
Almalinux	Almalinux	9.0
Almalinux	Almalinux	10.0

References

https://access.redhat.com/errata/RHBA-2025:6470
https://access.redhat.com/errata/RHSA-2025:2600Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:7050Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:8385Third Party Advisory
https://access.redhat.com/security/cve/CVE-2024-12088Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2330676Issue Tracking, Third Party Advisory
https://kb.cert.org/vuls/id/952657Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqjThird Party Advisory

Timeline

Published: Jan 14, 2025
Last Modified: Jun 25, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-12088?

How severe is CVE-2024-12088?

CVE-2024-12088 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 4.58% probability of exploitation in the next 30 days.

How do I fix CVE-2024-12088?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-12088?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST