Miggo Logo
Miggo Vulnerability Database
CVE-2023-28105

CVE-2023-28105: Go-huge-util vulnerable to path traversal when unzipping files

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-28105
GHSA ID
GHSA-5g39-ppwg-6xx8
EPSS Score
0.26217%
CWE
CWE-22
Published
3/16/2023
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/dablelv/go-huge-utilgo< 0.0.340.0.34

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unzipFile function's handling of zip entry names. The pre-patch code directly joined 'dstDir' and 'file.Name' (path.Join(dstDir, file.Name)), which could contain path traversal sequences. The fix introduced path sanitization via filepath.Join and strings.TrimPrefix to neutralize traversal attempts. Since the commit diff explicitly modifies this function to address the path traversal, and the CVE/GHSA both reference zip.Unzip (which calls unzipFile), this is the definitive vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Imp**t ZipSlip issu* w**n us* *sutil p**k*** to unzip *il*s. W**n us*rs us* zip.Unzip to unzip zip *il*s *rom * m*li*ious *tt**k*r, t**y m*y ** vuln*r**l* to p*t* tr*v*rs*l. P*t***s It **s ***n *ix** in v*.*.**, Pl**s* up*r*** v*rsion to v*.*.** or

Reasoning

T** vuln*r**ility st*ms *rom t** `unzip*il*` *un*tion's **n*lin* o* zip *ntry n*m*s. T** pr*-p*t** *o** *ir**tly join** '*st*ir' *n* '*il*.N*m*' (p*t*.Join(*st*ir, *il*.N*m*)), w*i** *oul* *ont*in p*t* tr*v*rs*l s*qu*n**s. T** *ix intro*u*** p*t* s*n