A new vulnerability, CVE-2025-3445, has been identified in the mholt/archiver library for Go. The Path Traversal "Zip Slip" vulnerability allows malicious actors to overwrite or create files when a user unknowingly unzips a specially crafted ZIP file. This can lead to privilege escalation, code execution, and other severe outcomes, depending on the privileges of the application utilizing the library. In this post, we'll explore the details of this vulnerability, including references to the original research, example codes, and potential mitigation strategies.

Code Snippet

An example of potentially vulnerable code is the following, where the archiver.Unarchive functionality with ZIP files is used to extract contents of a ZIP file:

import (
  "github.com/mholt/archiver"
)

func main() {
  zipFile := "example.zip"
  outputDir := "output/"

  err := archiver.Unarchive(zipFile, outputDir)
  if err != nil {
    log.Fatal(err)
  }
}

Exploit Details

In order to exploit this vulnerability, an attacker would create a malicious ZIP file containing path traversal symlinks, meaning that when the file is unzipped through the library's Unarchive() function, it could potentially create or overwrite sensitive files on the affected system. With the right privileges, this could lead to severe outcomes such as unauthorized access, privilege escalation, or code execution.

Original References

The original disclosure of this vulnerability can be found here: CVE-2025-3445. Further details, including relevant research and analysis, can be explored at Snyk: Zip Slip Vulnerability.

It is important to note that a similar vulnerability was previously identified in TAR files, documented as CVE-2024-0406. While a fix was developed, it has not been officially released, and the affected project mholt/archiver has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, which, in its initial release (v.1.), has removed the potentially vulnerable Unarchive() functionality.

To mitigate this vulnerability, there are several potential actions

1. Update to the latest version of the mholt/archives library (v.1.), which removes the Unarchive() functionality.
2. Implement proper validation and sanitization of file paths when using the archiver.Unarchive() function, making sure that paths are relative to the desired output directory and reject any paths with parent directory references (e.g., "../").
3. Use a different library or method for extracting ZIP files, which may provide better security and protection against path traversal vulnerabilities.

Conclusion

The CVE-2025-3445 vulnerability in mholt/archiver represents a serious risk to applications that use the library for ZIP file extraction. Developers should assess their usage of this library and consider the identified mitigation strategies to prevent potential exploits. It is crucial to stay informed about new vulnerabilities and continually evaluate the security and stability of library dependencies and third-party code to maintain secure and reliable software.

Timeline

Published on: 04/13/2025 22:15:12 UTC
Last modified on: 04/15/2025 18:39:27 UTC