CVE-2026-49340 - gonic playlist arbitrary file write

gonic before 0.21.0 can let playlist creation or update write files outside the intended directory, including via absolute paths and overly permissive directory creation. In multi-user media deployments this can become a direct filesystem corruption primitive.

Affected versions

  • Vulnerable: sentriz/gonic <0.21.0
  • Fixed: 0.21.0+

Remediation strategy

  • Upgrade to 0.21.0+.
  • Resolve final playlist paths under a fixed root, reject absolute paths and traversal segments, and use least-privilege permissions for any new directories.
  • Test create and update flows with malicious filenames.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-49340 in gonic. Produce either a reviewer-ready PR that
upgrades gonic, hardens playlist write-path handling, and adds regression
tests, or TRIAGE.md if this repository does not control the affected gonic
runtime or fork.

Steps:
1. Inventory gonic modules, forks, images, and playlist write paths.
2. Upgrade every controlled version to 0.21.0+.
3. Enforce final-path containment and least-privilege directory creation.
4. Add tests for absolute-path and traversal-shaped filenames.
5. Use PR title `fix(sec): remediate gonic playlist arbitrary file write`.

Verification

  • No controlled gonic runtime remains below 0.21.0.
  • Playlist create/update flows cannot write outside the intended root.

References