CVE-2025-0377 Overview
CVE-2025-0377 is a critical path traversal vulnerability in HashiCorp's go-slug library. The library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability allows attackers to write arbitrary files outside the intended extraction directory by crafting malicious tar archives with directory traversal sequences in file paths.
Critical Impact
Attackers can exploit this vulnerability to write arbitrary files to locations outside the intended extraction directory, potentially leading to remote code execution, configuration tampering, or complete system compromise.
Affected Products
- HashiCorp go-slug (all versions prior to patched release)
Discovery Timeline
- 2025-01-21 - CVE-2025-0377 published to NVD
- 2025-12-15 - Last updated in NVD database
Technical Details for CVE-2025-0377
Vulnerability Analysis
This vulnerability belongs to the zip-slip class of path traversal attacks, which affect archive extraction libraries. The go-slug library, used for packaging and extracting directory contents in HashiCorp's ecosystem, fails to properly sanitize file paths extracted from tar archives. When processing tar entries, the library does not adequately validate that extracted file paths remain within the intended destination directory.
The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), commonly associated with symlink attacks and path traversal issues. In this case, an attacker can craft a malicious tar archive containing entries with relative path components (such as ../) that, when extracted, result in files being written outside the expected extraction directory.
Root Cause
The root cause lies in insufficient path validation during tar archive extraction. When the go-slug library processes tar entries, it does not properly canonicalize or validate the extracted file paths against the target directory. Specifically, the vulnerability manifests when handling non-existing user-provided paths, allowing directory traversal sequences to escape the intended extraction boundary.
The library fails to implement proper path joining and validation that would detect and reject malicious paths containing ../ sequences or absolute paths that would resolve outside the target directory.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious tar archive containing entries with path traversal sequences (e.g., ../../etc/cron.d/malicious)
- Providing this archive to an application that uses the vulnerable go-slug library for extraction
- When the archive is extracted, files are written to arbitrary locations on the filesystem
The exploitation can lead to arbitrary file write, which attackers commonly leverage to achieve code execution by overwriting configuration files, cron jobs, SSH authorized keys, or application binaries.
For detailed technical information about the vulnerability mechanism, refer to the HashiCorp Security Advisory HCSEC-2025-01.
Detection Methods for CVE-2025-0377
Indicators of Compromise
- Unexpected files appearing in system directories outside normal application paths
- Tar archive processing logs showing paths with ../ sequences
- Modifications to critical system files or configuration files during archive extraction operations
- File system events showing writes to sensitive directories during go-slug operations
Detection Strategies
- Monitor file system operations during tar extraction for writes outside expected directories
- Implement application-level logging to capture extracted file paths and flag traversal sequences
- Deploy file integrity monitoring on critical system directories to detect unauthorized modifications
- Review application logs for go-slug library usage and associated file operations
Monitoring Recommendations
- Enable audit logging for file creation and modification events in sensitive system directories
- Configure SIEM rules to alert on path traversal patterns in application logs
- Monitor for unusual file writes in directories such as /etc/, /usr/, and application binary directories
- Implement runtime application self-protection (RASP) to detect and block path traversal attempts
How to Mitigate CVE-2025-0377
Immediate Actions Required
- Identify all applications using the HashiCorp go-slug library and prioritize patching
- Review the HashiCorp Security Advisory HCSEC-2025-01 for specific remediation guidance
- Update go-slug to the latest patched version as recommended by HashiCorp
- Audit systems that process user-provided tar archives for signs of compromise
Patch Information
HashiCorp has released a security advisory addressing this vulnerability. Organizations should update the go-slug library to the patched version as specified in the HashiCorp Security Advisory HCSEC-2025-01. The patch implements proper path validation to ensure extracted files cannot escape the intended destination directory.
Workarounds
- Restrict the sources from which tar archives are accepted to trusted origins only
- Implement additional application-level path validation before passing archives to go-slug
- Run applications using go-slug in sandboxed environments with restricted filesystem permissions
- Use container isolation to limit the impact of potential exploitation
# Verify go-slug version in your Go modules
go list -m all | grep go-slug
# Update go-slug to the latest patched version
go get github.com/hashicorp/go-slug@latest
go mod tidy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
