Upstream information
Description
A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library.When using the archiver.Unarchive functionality with ZIP files, like this: archiver.Unarchive(zipFile, outputDir), A crafted ZIP file can be extracted in such a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. Consequently, sensitive files may be overwritten, potentially leading to privilege escalation, code execution, and other severe outcomes in some cases.
It's worth noting that a similar vulnerability was found in TAR files (CVE-2024-0406). Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality.
SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
CNA (JFrog) | SUSE | |
---|---|---|
Base Score | 8.1 | 8.1 |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L |
Attack Vector | Network | Network |
Attack Complexity | High | High |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Changed | Changed |
Confidentiality Impact | Low | Low |
Integrity Impact | High | High |
Availability Impact | Low | Low |
CVSSv3 Version | 3.1 | 3.1 |
SUSE Security Advisories:
- openSUSE-SU-2025:15001-1, published Thu Apr 17 18:52:12 2025
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-15001 |
SUSE Timeline for this CVE
CVE page created: Mon Apr 14 02:00:06 2025CVE page last modified: Thu Apr 17 21:08:14 2025