GHSA-J95M-RCJP-Q69H
Vulnerability from github – Published: 2025-03-28 14:45 – Updated: 2025-11-07 16:43Impact
A malicious user could feed a specially crafted archive to this library causing RCE, modification of files or other bad things in the context of whatever user is running this library as, through the program that imports it.
The severity highly depends on the user's permissions and environment it is being ran in (e.g., non root, read only root container would likely have no impact vs running something as root on a production system).
The severity is also dependent on arbitrary archives being passed or not.
Based on the above, severity high was picked to be safe.
Patches
Patched with the help of snyk and gosec in v1.0.1
Workarounds
The only workaround is to manually validate archives before submitting them to this library, however that is not recommended vs upgrading to unaffected versions.
References
https://security.snyk.io/research/zip-slip-vulnerability
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/jaredallard/archives"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64346"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-28T14:45:59Z",
"nvd_published_at": "2025-11-07T06:15:33Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA malicious user could feed a specially crafted archive to this library causing RCE, modification of files or other bad things in the context of whatever user is running this library as, through the program that imports it.\n\nThe severity highly depends on the user\u0027s permissions and environment it is being ran in (e.g., non root, read only root container would likely have no impact vs running something as root on a production system).\n\nThe severity is also dependent on **arbitrary archives** being passed or not.\n\nBased on the above, severity high was picked to be safe.\n\n### Patches\n\nPatched with the help of snyk and gosec in v1.0.1\n\n### Workarounds\n\nThe only workaround is to manually validate archives before submitting them to this library, however that is not recommended vs upgrading to unaffected versions.\n\n### References\n\nhttps://security.snyk.io/research/zip-slip-vulnerability",
"id": "GHSA-j95m-rcjp-q69h",
"modified": "2025-11-07T16:43:11Z",
"published": "2025-03-28T14:45:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64346"
},
{
"type": "WEB",
"url": "https://github.com/jaredallard/archives/commit/3bddec7bd3f38afbe97ae61d1c8a8487e9ea4ef1"
},
{
"type": "PACKAGE",
"url": "https://github.com/jaredallard/archives"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "github.com/jaredallard/archives Has Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.