Upstream information

CVE-2025-3445 at MITRE

Description

A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library.

When using the archiver.Unarchive functionality with ZIP files, like this: archiver.Unarchive(zipFile, outputDir), A crafted ZIP file can be extracted in such a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. Consequently, sensitive files may be overwritten, potentially leading to privilege escalation, code execution, and other severe outcomes in some cases.

It's worth noting that a similar vulnerability was found in TAR files (CVE-2024-0406). Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
  CNA (JFrog) SUSE
Base Score 8.1 8.1
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L
Attack Vector Network Network
Attack Complexity High High
Privileges Required None None
User Interaction None None
Scope Changed Changed
Confidentiality Impact Low Low
Integrity Impact High High
Availability Impact Low Low
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1241242 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • forgejo >= 10.0.3-2.1
  • forgejo-apparmor >= 10.0.3-2.1
  • forgejo-environment-to-ini >= 10.0.3-2.1
  • forgejo-firewalld >= 10.0.3-2.1
  • forgejo-selinux >= 10.0.3-2.1
Patchnames:
openSUSE-Tumbleweed-2025-15001


SUSE Timeline for this CVE

CVE page created: Mon Apr 14 02:00:06 2025
CVE page last modified: Thu Apr 17 21:08:14 2025