A path traversal vulnerability in Wish (versions 2.0.0-2.0.1) allows attackers to read or write arbitrary files on the server, requiring an immediate update.

The SCP middleware fails to properly sanitize filenames, allowing attackers to use ../ sequences to escape the intended directory and manipulate server files.

With a CVSS score of 9.6, this vulnerability permits an attacker to compromise the integrity and confidentiality of the server. By writing arbitrary files, an attacker could gain persistent access or execute code, leading to complete server takeover.

Immediate Action: Update to Wish version 2.0.1 or later immediately.

Proactive Monitoring: Audit file system logs for unauthorized changes or attempts to access files outside of the configured root directory.

Compensating Controls: Run the SSH server in a containerized or chroot environment to minimize the impact of a potential path traversal.

Public Exploit Available: No

Upgrade to version 2.0.1 immediately. Given the risk of remote file system manipulation, this should be treated as a critical maintenance task.