sysnc is an offensive-security utility. It wraps a public exploit (CVE-2024-31317) for local research, authorised pentesting, and education. The notes below describe the intended use, what to do if you find a vulnerability in sysnc itself, and what is out of scope.
- Devices you own.
- Devices you have written authorisation to test.
- Lab environments, CTFs, and controlled training scenarios.
- Defensive research (e.g. validating that a patched device is no longer vulnerable).
Running sysnc against any device without the owner's explicit permission is illegal in most jurisdictions. The authors will not provide support for unauthorised use.
If you find a bug in sysnc, install.sh, or the documentation that could put a user at risk — for example, a command-injection flaw in argument parsing, an installer that fetches an unverified script, or a documentation step that leaks credentials — please report it privately first.
- Open a GitHub Security Advisory on the repository, or
- Email the maintainer (see git log / commit metadata) with subject
sysnc security:.
Please include:
- A short description of the issue and its impact.
- Steps to reproduce (a minimal script or command sequence is ideal).
- The affected version (
sysnc --version) and platform (Termux version, Android version). - Suggested mitigation, if any.
A maintainer will acknowledge the report within 7 days and aim to publish a fix or workaround within 30 days for high-severity issues. Lower-severity issues will be tracked in the public issue tracker once an initial fix is in place.
The following are not vulnerabilities in sysnc; please do not report them as such:
- The existence of CVE-2024-31317 itself. Report Android platform issues to Google's Android Security team.
- Misuse of
sysncagainst devices you do not own or are not authorised to test. - The fact that the netcat listener is unauthenticated. This is a deliberate design choice for a local-research tool; bind it to
127.0.0.1(the default) or place it behind your own access controls. - General Termux or Shizuku bugs. Report those to the respective upstream projects.
- The quick-install one-liner pipes a remote script into
bash. If you do not trust the network path or the GitHubmainbranch state at the moment of install, prefer the manual install: clone, inspect, theninstall -m 755 sysnc "$PREFIX/bin/sysnc". - The installer validates that the downloaded
sysncscript starts with a bash shebang before installing, but does not currently verify a checksum or signature. Tracked as an open improvement. - Always run
sysnc -vafter install to confirm the version you expected.