What is the latest version of rsync?

rsync 3.4.1 (January 16, 2025), Protocol 32. This version fixes regressions in the 3.4.0 release that patched 6 critical security vulnerabilities discovered in January 2025.

What is CVE-2024-12084 and why is it critical?

CVE-2024-12084 is a heap buffer overflow vulnerability in rsync's checksum processing code. With a CVSS score of 9.8 (critical), it allows anonymous clients to achieve remote code execution (RCE) even on read-only modules. Present since rsync 3.2.7, this vulnerability was patched in 3.4.0.

Should I use rclone instead of rsync?

These tools complement each other rather than replacing one another. rsync can perform delta transfers (only changed bytes) over SSH between servers, while rclone works with 70+ cloud providers like S3, Azure, and Google Cloud, and can be up to 4x faster with multi-threaded transfers. Use rclone for cloud storage and rsync for server-to-server synchronization.

Is rsync daemon (port 873) still safe?

No. The January 2025 CVEs revealed that approximately 660,000 rsync servers exposed on the internet were at risk. SSH-based rsync should be used instead of the rsync daemon. If daemon usage is mandatory, it should run within a VPN or encrypted tunnel with hosts allow restrictions.

rsync, Security Vulnerabilities and Modern File Synchronization

A comprehensive guide from rsync fundamentals to 2025 security vulnerabilities, modern flags to alternatives like rclone and Syncthing, and file synchronization in AI/ML workflows.

Ceyhun Enki Aksan Entrepreneur, Maker

Feb 9, 2026

TL;DR

Topic	2019	2026
Version	rsync 3.1.x	rsync 3.4.1 (Protocol 32)
Compression	gzip (`-z`)	zstd (`--compress-choice=zstd`)
Checksum	MD4/MD5	XXH3, XXH64, SHA256
Security	Daemon common	SSH mandatory, 6 CVEs patched
Progress	Per-file (`-P`)	Overall (`--info=progress2`)
Cloud	None	rclone (70+ backends)
Bidirectional	None	Mutagen, Syncthing 2.0

The first version of this article was published in 2019. Since then, rsync itself, the surrounding security requirements, automation approaches, and complementary tools have undergone significant evolution. In this update, I will cover rsync’s new structure that preserves its fundamentals while adapting to modern development workflows.

rsync Fundamentals

rsync is a synchronization tool that performs file transfer operations both locally and remotely, transmitting only the changed bytes through its delta transfer algorithm. Rather than rewriting entire files, it works by applying differences, which provides significant performance gains especially with large file sets.

Its most basic usage:

rsync [source-file-or-directory] [destination-file-or-directory]

To transfer multiple files to a target directory, files are listed sequentially before the destination:

rsync -R [source-file-1] [source-file-2] [destination-directory]

Basic Parameters

Parameter	Description	Example
`-a`	Archive mode (symlinks, permissions, timestamps)	`rsync -a src/ dest/`
`-v`	Verbose output	`rsync -av src/ dest/`
`-z`	Compression (gzip)	`rsync -avz src/ dest/`
`-r`	Recursive directory synchronization	`rsync -r src/ dest/`
`-P`	Progress + partial transfer (`--progress --partial`)	`rsync -avP src/ dest/`
`-e`	Specify remote shell	`rsync -avz -e ssh src/ user@host:/dest/`
`-n`	Dry run	`rsync -avn --delete src/ dest/`
`--delete`	Delete files from destination not in source	`rsync -av --delete src/ dest/`
`--exclude`	Exclude specific files/directories	`rsync -av --exclude='*.log' src/ dest/`
`--include`	Include specific files/directories	`rsync -av --include='*.php' src/ dest/`

Local and Remote Synchronization

The trailing slash (/) on the source directory determines the behavior. /source/ transfers the directory contents, while /source adds the directory itself as a subdirectory in the destination.

Local synchronization:

rsync -arv /source/ /destination

Pull (remote server to local):

rsync -ahivz user@server:/source/ /local-destination

Push (local to remote server):

rsync -ahivz /local-source/ user@server:/destination

When rsync operates over SSH, it uses port 22 by default. For a different port, specify -e "ssh -p 2222".

Security and Protocol Changes

The most critical development in the rsync ecosystem since 2019 has been in the security domain. In January 2025, 6 security vulnerabilities discovered by the Google Cloud Vulnerability Research team and Aleksei Gorban necessitated the most comprehensive security update in rsync’s history¹.

January 2025 CVEs

CVE	CVSS	Description
CVE-2024-12084	9.8 (Critical)	Heap buffer overflow in checksum processing. Remote code execution (RCE) with anonymous clients
CVE-2024-12085	7.5 (High)	Uninitialized stack memory leak. ASLR bypass
CVE-2024-12086	6.1 (Medium)	Malicious server can read client files
CVE-2024-12087	6.5 (Medium)	Path traversal via symbolic links
CVE-2024-12088	6.5 (Medium)	`--safe-links` protection bypass
CVE-2024-12747	5.6 (Medium)	Symlink race condition

CVE-2024-12084 has been present since rsync 3.2.7 (October 2022). Due to insufficient checksum length (s2length) validation, an attacker-controlled value enables a 48-byte out-of-bounds write operation. When combined with CVE-2024-12085, it allows anonymous remote code execution even on read-only modules².

Shodan scans have identified approximately 660,000 rsync servers (port 873) exposed on the internet³. This clearly demonstrates how risky rsync daemon usage has become.

Protocol Change

With rsync 3.4.0, the protocol version was upgraded from 30 to 32. This allows administrators to verify whether the remote server is patched by checking the protocol version:

rsync --version | head -1
# rsync  version 3.4.1  protocol version 32

SSH Mandate

In 2019, direct connections via rsync daemon (port 873) were still a common practice. As of 2026, this approach has been abandoned:

# 2019: Daemon usage was common
rsync rsync://server/module/ /destination/

# 2026: SSH-based rsync is standard
rsync -avz -e ssh source/ user@server:/destination/

If daemon usage is mandatory, it should run within a VPN or encrypted tunnel with hosts allow restrictions. The ed25519 algorithm should be preferred for SSH keys:

ssh-keygen -t ed25519 -C "rsync-automation"

Modern Flags and Performance

Features added in rsync 3.2.0 (June 2020) and later have significantly improved performance and user experience.

Zstandard (zstd) Compression

Instead of classic gzip (-z), zstd compression delivers both faster and more efficient results. Added in rsync 3.2.0, this feature automatically negotiates the best algorithm supported by both sides⁴:

# Transfer with zstd compression
rsync -avz --compress-choice=zstd source/ user@server:/destination/

# Short form
rsync -avz --zc=zstd source/ user@server:/destination/

The RSYNC_COMPRESS_LIST environment variable allows customizing the negotiation order.

XXHash Checksum

Instead of MD4 and MD5, XXH3 and XXH64 checksum algorithms that leverage SIMD instruction sets on modern processors have been added. Integrity verification on large file sets is no longer as slow as it used to be⁴:

# Verification with XXH3 checksum
rsync -avz --checksum-choice=xxh3 source/ destination/

# Short form
rsync -avz --cc=xxh3 source/ destination/

Available checksum algorithms: xxh128, xxh3, xxh64, md5, md4, sha1, none.

Overall Progress Indicator

Instead of per-file progress, --info=progress2 shows overall transfer progress as a percentage:

rsync -avz --info=progress2 source/ user@server:/destination/

Other Modern Flags

Flag	Version	Description
`--mkpath`	3.2.3	Automatically create destination directory path
`--stop-after=N`	3.2.3	Stop transfer after N seconds
`--stop-at=TIME`	3.2.3	Stop transfer at specified time
`--inplace`	Existing (fixed with `--sparse` in 3.3.0)	Write directly to existing file instead of temp file
`--fsync`	3.2.4	Call fsync after each file write
`--copy-devices`	3.2.4	Copy device files

The --inplace parameter saves disk space with massive files (database dumps, VM images). However, if the transfer is interrupted, the file may become corrupted. For critical data, using it with --backup is recommended:

# Large file transfer (disk-saving but risky)
rsync -avz --inplace --backup --backup-dir=/backup large-file.img user@server:/destination/

rsync in AI/ML Workflows

With the proliferation of artificial intelligence and machine learning projects, rsync has evolved beyond a traditional file transfer tool to become part of AI pipelines.

GPU Cluster Data Synchronization

When working with ephemeral GPU rental services (Lambda Labs, RunPod, Vast.ai), rsync serves as the primary tool for transferring code and datasets to GPU machines. A typical workflow⁵:

# 1. Send code to GPU machine
rsync -avz --exclude='.venv' --exclude='node_modules' \
  code/ user@gpu-host:~/code/

# 2. Synchronize training data
rsync -avz --info=progress2 --compress-choice=zstd \
  data/ user@gpu-host:~/data/

# 3. Run training (on GPU)
ssh user@gpu-host "cd ~/code && python train.py"

# 4. Pull results back
rsync -avz user@gpu-host:~/data/results/ results/

rsync’s delta transfer capability provides a critical advantage here: after code changes, re-synchronization only transfers modified files. This approach works efficiently for datasets ranging from hundreds of megabytes to a few gigabytes. At petabyte scale, distributed file systems like Lustre, BeeGFS, or Alluxio are preferred.

rsync vs rclone: Which Tool for Which Scenario?

Scenario	rsync	rclone
Server-to-server (SSH)	Suitable	Not supported
Delta transfer (byte level)	Suitable	Not supported
S3, Azure, GCS	Not supported	Suitable (70+ backends)
Multi-threaded transfer	Single-threaded	Suitable (4x faster)⁶
Unix permission preservation	Suitable	Not supported
Large dataset from cloud	Slow (single-threaded)	Suitable

For pulling data from cloud storage (S3, GCS) to GPU instances, rclone is the better choice. For synchronization between local machines and GPU instances over SSH, rsync remains the practical option.

LLM Automation

Rather than manually writing complex --exclude rules, providing directory structures to LLMs and having them generate appropriate rsync commands has become a common practice:

# Example: Safe exclude list generated by LLM
rsync -avz --compress-choice=zstd \
  --exclude='.git' \
  --exclude='node_modules' \
  --exclude='__pycache__' \
  --exclude='.venv' \
  --exclude='*.pyc' \
  --exclude='.env' \
  --info=progress2 \
  project/ user@server:/destination/

A critical point to note: in commands containing the --delete flag, AI-generated scripts can sometimes lead to unexpected results. Therefore, --dry-run should always be run before using --delete.

Modern Alternatives and Complements

When rsync falls short or different needs arise, as of 2026, the following tools complement rsync or replace it in specific scenarios.

rclone

rclone, positioned as “rsync for cloud storage”, is a file synchronization tool that works with over 70 cloud providers⁷. With its latest version v1.73.0 (January 2026), it continues active development.

# Sync from S3 to local
rclone sync s3:bucket/data/ /local/data/

# Multi-threaded transfer
rclone copy --multi-thread-streams=16 source/ destination/

# Mount cloud storage as filesystem
rclone mount s3:bucket/ /mnt/s3/

In Jeff Geerling’s 2025 benchmark, rclone delivered results 4 times faster than rsync when transferring approximately 60 GiB over a 10 Gbps network (2 minutes 15 seconds vs 8 minutes 17 seconds). This difference stems from rclone’s multi-threaded transfer architecture⁶.

However, rclone cannot preserve Unix permissions/attributes and cannot perform intra-file delta transfers. It operates at the file/object level.

Syncthing 2.0

Syncthing is a peer-to-peer continuous file synchronization tool that requires no central server. The 2.0 version released in August 2025 includes significant changes⁸:

SQLite database instead of LevelDB (less corruption risk)
Multiple connection support (separate channels for index metadata and data exchange)
UDP port mapping with QUIC support (better firewall traversal)
Automatic forgetting of deleted items after 15 months

Syncthing is suitable for personal multi-device synchronization and team file sharing. Not requiring server management provides an advantage.

Mutagen

Mutagen provides bidirectional and real-time file synchronization for remote development environments (VS Code Remote, Docker containers)⁹. Unlike rsync, it watches filesystem changes for instant synchronization. It offers four synchronization modes; the default two-way-safe prevents data loss during conflicts.

ZFS/Btrfs Send/Receive

In scenarios where data consistency is critical, snapshot-based replication at the filesystem level provides a more reliable alternative to rsync¹⁰:

Block-level incremental replication (no filesystem traversal needed)
Rename and move operations are very low cost
Both sides must use the same filesystem (ZFS-to-ZFS or Btrfs-to-Btrfs)

For NAS-to-NAS replication and backup systems (TrueNAS, etc.), ZFS replication is preferred over rsync.

Unison

Unison is a bidirectional file synchronization tool written in OCaml¹¹. Its key difference from rsync is that it displays conflicting updates to the user rather than silently overwriting them. Since version 2.52.0, the wire protocol is no longer dependent on the OCaml version, solving the longstanding version mismatch issue.

Comparison Table

Tool	Transfer	Direction	Cloud	Permissions	Real-time
rsync	Delta (byte)	One-way	None	Preserved	No
rclone	Full file	One-way	70+ backends	Not preserved	No
Syncthing	Block-based	Bidirectional	None	Preserved	Yes
Mutagen	Delta	Bidirectional	None	Preserved	Yes
Unison	Delta	Bidirectional	None	Preserved	No
ZFS Send	Block (snapshot)	One-way	None	Preserved	No

2026 Best Practice Guide

Modern rsync Command

rsync -avz \
  --info=progress2 \
  --compress-choice=zstd \
  --exclude='.git' \
  --exclude='node_modules' \
  --exclude='*.log' \
  -e "ssh -o VisualHostKey=no" \
  /source/ user@server:/destination/

Security Checklist

# 1. Version check (should be 3.4.1+, Protocol 32)
rsync --version | head -1

# 2. Always dry-run before using --delete
rsync -avz --delete --dry-run source/ destination/

# 3. Then actual transfer
rsync -avz --delete source/ destination/

Scenario-Based Commands

Server backup (over SSH, zstd, progress):

rsync -avz --info=progress2 --compress-choice=zstd \
  -e ssh user@server:/var/www/ /backup/www/

Large file transfer (inplace, bandwidth limit):

rsync -avz --inplace --bwlimit=10M --partial --info=progress2 \
  large-file.tar.gz user@server:/destination/

Mirror (including delete, dry-run first):

rsync -avz --delete --dry-run source/ user@server:/destination/
# After checking output:
rsync -avz --delete --info=progress2 source/ user@server:/destination/

Time-limited transfer (3.2.3+):

rsync -avz --stop-after=3600 source/ destination/  # stop after 1 hour

Auto-create destination directory (3.2.3+):

rsync -avz --mkpath source/ destination/nonexistent/directory/path/

Conclusion

rsync maintains its position as the fundamental tool for file synchronization through its delta transfer algorithm and Unix philosophy-aligned design. However, the critical security vulnerabilities discovered in early 2025 have demonstrated once again how important it is to keep this tool up to date. rsync 3.4.1 or higher, SSH-based usage, and zstd compression are considered minimum requirements as of 2026.

Across the broader ecosystem, rsync is no longer alone. Tools like rclone for cloud synchronization, Syncthing and Mutagen for bidirectional real-time synchronization, and ZFS send/receive for filesystem-level replication address different needs. Using these tools in a complementary fashion within modern development workflows stands out as the most sound approach.

For other command-line tools commonly used alongside rsync, see wget, grep, and crontab.

Member Zone