Description
Advisory CVE-2025-3445 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/mholt/archiver |
Description:
A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library.
When using the archiver.Unarchive functionality with ZIP files, like this: archiver.Unarchive(zipFile, outputDir), A crafted ZIP file can be extracted in such a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. Consequently, sensitive files may be...
References:
Cross references:
- github.com/mholt/archiver appears in 3 other report(s):
- data/excluded/GO-2022-0842.yaml (x/vulndb: potential Go vuln in github.com/mholt/archiver/cmd/arc: GHSA-h74j-692g-48mq #842) NOT_IMPORTABLE
- data/reports/GO-2022-0799.yaml (x/vulndb: potential Go vuln in github.com/mholt/archiver: GHSA-5wmg-j84w-4jj4 #799)
- data/reports/GO-2024-2698.yaml (x/vulndb: potential Go vuln in github.com/mholt/archiver: GHSA-rhh4-rh7c-7r5v #2698)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/mholt/archiver
vulnerable_at: 2.1.0+incompatible
summary: CVE-2025-3445 in github.com/mholt/archiver
cves:
- CVE-2025-3445
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3445
- web: https://github.com/mholt/archiver/
source:
id: CVE-2025-3445
created: 2025-04-14T00:01:17.152067798Z
review_status: UNREVIEWED