Fluid Attacks Database

Description

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.22	rsync	=3.0.5-r0 \|\| =3.0.6-r0 \|\| =3.0.6-r1 \|\| =3.0.7-r0 \|\| =3.0.7-r1 \|\| =3.0.8-r0 \|\| =3.0.9-r0 \|\| =3.0.9-r1 \|\| =3.1.0-r0 \|\| =3.1.1-r0 \|\| =3.1.1-r1 \|\| =3.1.1-r2 \|\| =3.1.2-r2 \|\| =3.1.2-r3 \|\| =3.1.2-r4 \|\| =3.1.2-r5 \|\| =3.1.2-r6 \|\| =3.1.2-r7 \|\| =3.1.3-r0 \|\| =3.1.3-r1 \|\| =3.1.3-r2 \|\| =3.1.3-r3 \|\| =3.2.2-r0 \|\| =3.2.3-r0 \|\| =3.2.3-r1 \|\| =3.2.3-r2 \|\| =3.2.3-r3 \|\| =3.2.3-r4 \|\| =3.2.3-r5 \|\| =3.2.4-r0 \|\| =3.2.4-r1 \|\| =3.2.4-r2 \|\| =3.2.5-r0 \|\| =3.2.6-r0 \|\| =3.2.7-r0 \|\| =3.2.7-r1 \|\| =3.2.7-r2 \|\| =3.2.7-r3 \|\| =3.2.7-r4 \|\| =3.3.0-r0 \|\| =3.4.0-r0 \|\| =3.4.1-r0 \|\| >=0 <3.4.1-r1	3.4.1-r1
alpine v3.21	rsync	=3.0.5-r0 \|\| =3.0.6-r0 \|\| =3.0.6-r1 \|\| =3.0.7-r0 \|\| =3.0.7-r1 \|\| =3.0.8-r0 \|\| =3.0.9-r0 \|\| =3.0.9-r1 \|\| =3.1.0-r0 \|\| =3.1.1-r0 \|\| =3.1.1-r1 \|\| =3.1.1-r2 \|\| =3.1.2-r2 \|\| =3.1.2-r3 \|\| =3.1.2-r4 \|\| =3.1.2-r5 \|\| =3.1.2-r6 \|\| =3.1.2-r7 \|\| =3.1.3-r0 \|\| =3.1.3-r1 \|\| =3.1.3-r2 \|\| =3.1.3-r3 \|\| =3.2.2-r0 \|\| =3.2.3-r0 \|\| =3.2.3-r1 \|\| =3.2.3-r2 \|\| =3.2.3-r3 \|\| =3.2.3-r4 \|\| =3.2.3-r5 \|\| =3.2.4-r0 \|\| =3.2.4-r1 \|\| =3.2.4-r2 \|\| =3.2.5-r0 \|\| =3.2.6-r0 \|\| =3.2.7-r0 \|\| =3.2.7-r1 \|\| =3.2.7-r2 \|\| =3.2.7-r3 \|\| =3.2.7-r4 \|\| =3.3.0-r0 \|\| =3.3.0-r1 \|\| =3.4.0-r0 \|\| =3.4.1-r0 \|\| >=0 <3.4.1-r1	3.4.1-r1
alpine v3.19	rsync	=3.0.5-r0 \|\| =3.0.6-r0 \|\| =3.0.6-r1 \|\| =3.0.7-r0 \|\| =3.0.7-r1 \|\| =3.0.8-r0 \|\| =3.0.9-r0 \|\| =3.0.9-r1 \|\| =3.1.0-r0 \|\| =3.1.1-r0 \|\| =3.1.1-r1 \|\| =3.1.1-r2 \|\| =3.1.2-r2 \|\| =3.1.2-r3 \|\| =3.1.2-r4 \|\| =3.1.2-r5 \|\| =3.1.2-r6 \|\| =3.1.2-r7 \|\| =3.1.3-r0 \|\| =3.1.3-r1 \|\| =3.1.3-r2 \|\| =3.1.3-r3 \|\| =3.2.2-r0 \|\| =3.2.3-r0 \|\| =3.2.3-r1 \|\| =3.2.3-r2 \|\| =3.2.3-r3 \|\| =3.2.3-r4 \|\| =3.2.3-r5 \|\| =3.2.4-r0 \|\| =3.2.4-r1 \|\| =3.2.4-r2 \|\| =3.2.5-r0 \|\| =3.2.6-r0 \|\| =3.2.7-r0 \|\| =3.2.7-r1 \|\| =3.2.7-r2 \|\| =3.2.7-r3 \|\| =3.2.7-r4 \|\| =3.4.0-r0 \|\| =3.4.1-r0 \|\| >=0 <3.4.1-r1	3.4.1-r1
debian 11	rsync	=3.2.3-4 \|\| =3.2.3-4+deb11u1 \|\| =3.2.3-4+deb11u2 \|\| =3.2.3-4+deb11u3 \|\| =3.2.3-5 \|\| =3.2.3-6 \|\| =3.2.3-7 \|\| =3.2.3-8 \|\| =3.2.4-1 \|\| =3.2.4-1~bpo11+1 \|\| =3.2.5-1 \|\| =3.2.6-1 \|\| =3.2.6-2 \|\| =3.2.6-3 \|\| =3.2.6-4 \|\| =3.2.7-1 \|\| =3.2.7-1~bpo11+1 \|\| =3.3.0+ds1-1 \|\| =3.3.0+ds1-2 \|\| =3.3.0+ds1-3 \|\| =3.3.0+ds1-4 \|\| =3.3.0-1 \|\| =3.4.1+ds1-1 \|\| =3.4.1+ds1-2 \|\| =3.4.1+ds1-3 \|\| =3.4.1+ds1-4 \|\| =3.4.1+ds1-4~exp1 \|\| =3.4.1+ds1-4~exp2 \|\| =3.4.1+ds1-5 \|\| =3.4.1+ds1-5~exp1 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1	-
debian 12	rsync	=3.2.7-1 \|\| =3.2.7-1+deb12u1 \|\| =3.2.7-1+deb12u2 \|\| =3.2.7-1+deb12u3 \|\| >=0 <3.2.7-1+deb12u4	3.2.7-1+deb12u4
alpine v3.23	rsync	=3.0.5-r0 \|\| =3.0.6-r0 \|\| =3.0.6-r1 \|\| =3.0.7-r0 \|\| =3.0.7-r1 \|\| =3.0.8-r0 \|\| =3.0.9-r0 \|\| =3.0.9-r1 \|\| =3.1.0-r0 \|\| =3.1.1-r0 \|\| =3.1.1-r1 \|\| =3.1.1-r2 \|\| =3.1.2-r2 \|\| =3.1.2-r3 \|\| =3.1.2-r4 \|\| =3.1.2-r5 \|\| =3.1.2-r6 \|\| =3.1.2-r7 \|\| =3.1.3-r0 \|\| =3.1.3-r1 \|\| =3.1.3-r2 \|\| =3.1.3-r3 \|\| =3.2.2-r0 \|\| =3.2.3-r0 \|\| =3.2.3-r1 \|\| =3.2.3-r2 \|\| =3.2.3-r3 \|\| =3.2.3-r4 \|\| =3.2.3-r5 \|\| =3.2.4-r0 \|\| =3.2.4-r1 \|\| =3.2.4-r2 \|\| =3.2.5-r0 \|\| =3.2.6-r0 \|\| =3.2.7-r0 \|\| =3.2.7-r1 \|\| =3.2.7-r2 \|\| =3.2.7-r3 \|\| =3.2.7-r4 \|\| =3.3.0-r0 \|\| =3.4.0-r0 \|\| =3.4.1-r0 \|\| >=0 <3.4.1-r1	3.4.1-r1
alpine v3.20	rsync	=3.0.5-r0 \|\| =3.0.6-r0 \|\| =3.0.6-r1 \|\| =3.0.7-r0 \|\| =3.0.7-r1 \|\| =3.0.8-r0 \|\| =3.0.9-r0 \|\| =3.0.9-r1 \|\| =3.1.0-r0 \|\| =3.1.1-r0 \|\| =3.1.1-r1 \|\| =3.1.1-r2 \|\| =3.1.2-r2 \|\| =3.1.2-r3 \|\| =3.1.2-r4 \|\| =3.1.2-r5 \|\| =3.1.2-r6 \|\| =3.1.2-r7 \|\| =3.1.3-r0 \|\| =3.1.3-r1 \|\| =3.1.3-r2 \|\| =3.1.3-r3 \|\| =3.2.2-r0 \|\| =3.2.3-r0 \|\| =3.2.3-r1 \|\| =3.2.3-r2 \|\| =3.2.3-r3 \|\| =3.2.3-r4 \|\| =3.2.3-r5 \|\| =3.2.4-r0 \|\| =3.2.4-r1 \|\| =3.2.4-r2 \|\| =3.2.5-r0 \|\| =3.2.6-r0 \|\| =3.2.7-r0 \|\| =3.2.7-r1 \|\| =3.2.7-r2 \|\| =3.2.7-r3 \|\| =3.2.7-r4 \|\| =3.3.0-r0 \|\| =3.4.0-r0 \|\| =3.4.1-r0 \|\| >=0 <3.4.1-r1	3.4.1-r1
debian 14	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-6 \|\| >=0 <3.4.1+ds1-7	3.4.1+ds1-7
debian 13	rsync	=3.4.1+ds1-5 \|\| >=0 <3.4.1+ds1-5+deb13u1	3.4.1+ds1-5+deb13u1
rpm rhel8	rsync	<0:3.1.3-24.el8_10	0:3.1.3-24.el8_10

1-10 of 17

Aliases

1. CVE-2025-101582. NVD-2025-101583. OSV-ALPINE-2025-101584. OSV-2025-101585. OSV-DEBIAN-2025-101586. SECURITY-CVE-2025-101587. SECURITY-TRACKER-CVE-2025-10158

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.