CVE CyberSecurity Database News

CVE-2025-3445 - Unpacking Danger — "Zip Slip" Path Traversal in mholt/archiver for Go

Poster -

A new path traversal vulnerability, now identified as CVE-2025-3445, has been discovered in the popular Go library mholt/archiver. This security flaw, commonly called a "Zip Slip," lets attackers use specially crafted ZIP files containing symlinks and path traversal sequences (../) to write or overwrite files anywhere on the victim's file system. Because the extraction is done using the application's own privileges, the impact can be severe: overwriting config files, adding malicious scripts, or even escalating privileges.

This post will break down what this vulnerability means, show you sample exploit code, and guide you toward safer alternatives.

What Is "Zip Slip"?

"Zip Slip" is an old but dangerous trick. When extracting files from ZIP (or other archive) formats, a naive extractor might take each file inside the archive and write it directly to disk without checking its path. If a file in the archive says its name is ../../../../etc/passwd, the extractor will blindly put it there — oops.

In the context of mholt/archiver, the core extraction function archiver.Unarchive(zipFile, outputDir) is vulnerable.

Let's look at how this is typically used in a Go application

import "github.com/mholt/archiver/v3"

func extractZip(zipFile string, outputDir string) error {
    // Vulnerable usage:
    err := archiver.Unarchive(zipFile, outputDir)
    return err
}

If zipFile is controlled by an attacker (e.g., user uploads), a malicious ZIP can trick this function into writing files *anywhere*.

An attacker creates a ZIP archive with a file entry like

../some/path/evil.sh

Or worse, tries to overwrite system files

../../../../etc/passwd

When the ZIP is extracted using archiver.Unarchive(), Go will happily write to these paths unless explicitly prevented.

Overwriting application configs (for persistence)

- Dropping a malicious script in /tmp or a cron directory (/etc/cron.d)

Overwriting SSH keys or sudoers files

Symlinks: Some variations also include symlink entries that point outside the intended extraction folder.

Here is a simple ZIP archive creation in Python, showing how an attacker could build such a ZIP

import zipfile

with zipfile.ZipFile("exploit.zip", "w") as z:
    # Overwrite /etc/passwd on extraction!
    z.writestr("../../../../etc/passwd", "malicious content\n")

When exploited using the vulnerable Go code above, the file /etc/passwd would be overwritten with "malicious content".

Relationship to Previous Bugs

A related vulnerability (CVE-2024-0406) was found in the same library for TAR archives last year. A fix was created but not released, and mholt/archiver has since been deprecated.

> Official statement: The project is no longer maintained.

Stop using mholt/archiver!

- The author recommends switching to mholt/archives, where the dangerous Unarchive() functionality has been removed in version v.1..
- Always validate file paths inside archives, preventing any entries with ../ or leading slashes.
- Use libraries that explicitly guard against path traversal (like Go’s archive/zip with manual path validation).

If you *must* extract ZIP files, validate the paths like this in Go

import (
    "archive/zip"
    "io"
    "os"
    "path/filepath"
    "strings"
)

func safeUnzip(src, dest string) error {
    r, err := zip.OpenReader(src)
    if err != nil {
        return err
    }
    defer r.Close()

    for _, f := range r.File {
        // Clean up path
        normalized := filepath.Clean(f.Name)
        if strings.Contains(normalized, "..") || filepath.IsAbs(normalized) {
            // Path traversal attempt!
            continue
        }
        outputPath := filepath.Join(dest, normalized)
        if f.FileInfo().IsDir() {
            os.MkdirAll(outputPath, 0755)
            continue
        }
        rc, err := f.Open()
        if err != nil {
            return err
        }
        os.MkdirAll(filepath.Dir(outputPath), 0755)
        outFile, err := os.Create(outputPath)
        if err != nil {
            rc.Close()
            return err
        }
        io.Copy(outFile, rc)
        outFile.Close()
        rc.Close()
    }
    return nil
}

References and Further Reading

- CVE-2025-3445 (NVD) *(pending publication)*
- mholt/archiver GitHub Repository
- mholt/archives GitHub (Safe Successor)
- Zip Slip Vulnerability Explanation (Snyk)
- Similar Issue in Tar Files (CVE-2024-0406)

Final Word

CVE-2025-3445 is a dangerous bug, and because mholt/archiver is now deprecated, there will be no patches. If you’re handling user-supplied ZIP files in Go, immediately migrate to a safer library, or add strict path checks.

Don’t let your archive extraction process become an attacker’s entry point. Stay safe!

Timeline

Published on: 04/13/2025 22:15:12 UTC
Last modified on: 04/15/2025 18:39:27 UTC