A look at the recent rsync vulnerability
On January 14, Nick Tait announced the discovery of six vulnerabilities in rsync, the popular file-synchronization tool. While software vulnerabilities are not uncommon, the most serious one he announced allows for remote code execution on servers that run rsyncd — and possibly other configurations. The bug itself is fairly simple, but this event provides a nice opportunity to dig into it, show why it is so serious, and consider ways the open-source community can prevent such mistakes in the future. The vulnerabilities were found by two groups of researchers: Simon Scannell, Pedro Gallegos, and Jasiel Spelman from Google's Cloud Vulnerability Research identified five of them, including the most serious one. Aleksei Gorban, a security researcher at TikTok, discovered the sixth — a race condition in how rsync handles symbolic links.
![Government and university websites targeted in ScriptAPI[.]dev client-side attack - c/side](https://rdl.ink/render/https%3A%2F%2Fcontent.cside.dev%2Fcontent%2Fimages%2F2025%2F01%2FScriptAPI-cside.dev.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
