CVE-2025-3445 Overview
A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go. This vulnerability allows using a crafted ZIP file containing path traversal symlinks to create or overwrite files with the user's privileges or application utilizing the library.
When using the archiver.Unarchive functionality with ZIP files, like this: archiver.Unarchive(zipFile, outputDir), a crafted ZIP file can be extracted in such a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. Consequently, sensitive files may be overwritten, potentially leading to privilege escalation, code execution, and other severe outcomes in some cases.
It's worth noting that a similar vulnerability was found in TAR files (CVE-2024-0406). Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality.
Critical Impact
The vulnerability allows for unauthorized file overwrite and potential privilege escalation.
Affected Products
- mholt/archiver
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Not Available
- Not Available - CVE CVE-2025-3445 assigned
- Not Available - Not Available releases security patch
- 2025-04-13 - CVE CVE-2025-3445 published to NVD
- 2025-04-15 - Last updated in NVD database
Technical Details for CVE-2025-3445
Vulnerability Analysis
The vulnerability arises from the Unarchive functionality in mholt/archiver, where a ZIP file with path traversal symlinks can manipulate the extraction path. This could lead to overwriting files on the host system if the ZIP file is crafted maliciously.
Root Cause
The root cause is improper validation of file paths when extracting archives, allowing a crafted archive to traverse directories.
Attack Vector
Network-based attack using specially crafted ZIP files sent to applications using the archiver library.
// Example exploitation code (sanitized)
package main
import (
"os"
"gopkg.in/mholt/archiver.v3"
)
func main() {
err := archiver.Unarchive("malicious.zip", "/vulnerable/output/")
if err != nil {
panic(err)
}
}
Detection Methods for CVE-2025-3445
Indicators of Compromise
- Unexpected file changes in sensitive directories
- Presence of symlink files pointing to root level directories
- Logs showing unusual usage of archiver.Unarchive
Detection Strategies
Implement file path validation and logging for ZIP file extraction processes. Use endpoint detection solutions like SentinelOne to monitor for unauthorized file changes.
Monitoring Recommendations
Monitor archives for unexpected symlinks and use file integrity monitoring tools to detect unauthorized file modifications. Implement logging mechanisms to capture file operations.
How to Mitigate CVE-2025-3445
Immediate Actions Required
- Restrict ZIP file usage in applications dependent on the archiver library
- Validate file paths before extraction
- Use temporary directories with restricted privileges for file extraction
Patch Information
Upgrade to mholt/archives v0.1.0, which eliminates the vulnerable Unarchive() functionality.
Workarounds
Ban or sandbox ZIP extraction to prevent path traversal.
# Configuration example
setfacl -m u:youruser:--- /path/to/critical
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
