CVE-2025-3445 in archiver
Summary
by MITRE • 04/14/2025
A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library.
When using the archiver.Unarchive functionality with ZIP files, like this: archiver.Unarchive(zipFile, outputDir), A crafted ZIP file can be extracted in such a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. Consequently, sensitive files may be overwritten, potentially leading to privilege escalation, code execution, and other severe outcomes in some cases.
It's worth noting that a similar vulnerability was found in TAR files (CVE-2024-0406). Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2025
The CVE-2025-3445 vulnerability represents a critical path traversal flaw commonly known as "Zip Slip" that affects the mholt/archiver Go library. This vulnerability stems from inadequate input validation during archive extraction processes, specifically when handling ZIP file contents that contain malicious path traversal sequences. The flaw occurs because the library fails to properly sanitize file paths before writing extracted content to the filesystem, creating opportunities for attackers to manipulate the extraction destination through specially crafted archive contents.
The technical implementation of this vulnerability involves the manipulation of relative path components within ZIP archives using sequences such as ../ or ..\ that can traverse outside the intended extraction directory. When the archiver.Unarchive function processes a malicious ZIP file, it interprets these path traversal sequences without proper sanitization, allowing the extraction process to write files to arbitrary locations on the target system. This behavior directly violates the principle of least privilege and can result in unauthorized file creation or modification with the privileges of the executing application.
The operational impact of this vulnerability extends beyond simple file manipulation to encompass potential privilege escalation scenarios and code execution opportunities. When applications utilize the affected library to process untrusted ZIP archives, attackers can exploit this weakness to overwrite critical system files, inject malicious code into application directories, or establish persistent access mechanisms. The vulnerability particularly affects systems where the archiving application runs with elevated privileges, as the extracted malicious content will inherit those same privileges during execution. This makes the vulnerability especially dangerous in server environments, automated processing systems, or applications that handle user-uploaded content.
Security practitioners should recognize this vulnerability as aligning with CWE-22 Path Traversal and CWE-400 Uncontrolled Resource Consumption patterns, while also mapping to ATT&CK techniques such as T1059 Command and Scripting Interpreter and T1546 Event Triggered Execution. The vulnerability's exploitation potential is amplified by the fact that it can be triggered through routine file processing operations, making it difficult to detect and prevent through traditional security controls. Organizations using the affected library should immediately implement mitigation strategies including input validation, privilege reduction, and sandboxed processing environments.
The remediation approach requires immediate migration away from the vulnerable mholt/archiver library to its successor project mholt/archives, which has removed the problematic Unarchive() functionality entirely. Additionally, system administrators should implement proper file path validation mechanisms, restrict application privileges where possible, and deploy network segmentation to limit the potential impact of successful exploitation attempts. Regular security assessments should verify that no applications continue to use deprecated or vulnerable library versions, particularly in environments handling untrusted archive files. The vulnerability's similarity to CVE-2024-0406 in TAR file processing highlights the importance of comprehensive security reviews across all archive handling components within applications.