8000 x/vulndb: potential Go vuln in github.com/mholt/archiver: CVE-2025-3445 · Issue #3605 · golang/vulndb · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

x/vulndb: potential Go vuln in github.com/mholt/archiver: CVE-2025-3445 #3605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GoVulnBot opened this issue Apr 14, 2025 · 2 comments
Open

x/vulndb: potential Go vuln in github.com/mholt/archiver: CVE-2025-3445 #3605

GoVulnBot opened this issue Apr 14, 2025 · 2 comments
Labels
cve-year-2025 high priority triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2025-3445 references a vulnerability in the following Go modules:

Module
github.com/mholt/archiver

Description:
A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library.

When using the archiver.Unarchive functionality with ZIP files, like this: archiver.Unarchive(zipFile, outputDir),  A crafted ZIP file can be extracted in such 8000 a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. Consequently, sensitive files may be...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mholt/archiver
      vulnerable_at: 2.1.0+incompatible
summary: CVE-2025-3445 in github.com/mholt/archiver
cves:
    - CVE-2025-3445
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-3445
    - web: https://github.com/mholt/archiver/
source:
    id: CVE-2025-3445
    created: 2025-04-14T00:01:17.152067798Z
review_status: UNREVIEWED
@gopherbot

This comment has been minimized.

Sign in to view
@thatnealpatel
Copy link
Member

This report triggered an edge-case testing failure; in short, all reports are tested (all_test.go) against themselves and their future reports.

This impacts how a highPriority designation may be made.

For this particular report, it just so happens that less previous reports were in a REVIEWED state than not. Upon inclusion of this new (correctly classified) highPriority report, the REVIEWED counter increases. This will cause any previous reports for github.com/mholt/... that are not REVIEWED to trip a "this report should be reviewed" invariant.

To fix this, all_test.go should evaluate each report at point-in-time basis (i.e. only consider reports up to itself when testing the invariant mentioned above) when checking for correctness.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cve-year-2025 high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @thatnealpatel @GoVulnBot
0