Miggo Logo

CVE-2025-3445: mholt/archiver Vulnerable to Path Traversal via Crafted ZIP File

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.344%
Published
4/14/2025
Updated
4/14/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mholt/archivergo<= 3.5.1
github.com/mholt/archiver/v3go<= 3.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description directly implicates archiver.Unarchive as the function processing the malicious input (crafted ZIP file) and performing the unsafe extraction. The provided commit, although only a README update, confirms the project's stance on not mitigating this specific vulnerability within its extraction functionalities. The deprecation of the project and removal of Unarchive() in its successor further supports that this function was the core of the issue. While the exact file path for archiver.go is an assumption based on common Go project structures and the function name, the function signature archiver.Unarchive is clearly identified as vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* P*t* Tr*v*rs*l "Zip Slip" vuln*r**ility **s ***n i**nti*i** in m*olt/*r**iv*r in *o. T*is vuln*r**ility *llows usin* * *r**t** ZIP *il* *ont*inin* p*t* tr*v*rs*l symlinks to *r**t* or ov*rwrit* *il*s wit* t** us*r's privil***s or *ppli**tion utiliz

Reasoning

T** vuln*r**ility **s*ription *ir**tly impli**t*s `*r**iv*r.Un*r**iv*` *s t** *un*tion pro**ssin* t** m*li*ious input (*r**t** ZIP *il*) *n* p*r*ormin* t** uns*** *xtr**tion. T** provi*** *ommit, *lt*ou** only * R***M* up**t*, *on*irms t** proj**t's