Plattform
go
Komponente
github.com/mholt/archiver
Behoben in
3.5.2
3.5.2
CVE-2025-3445 is a Path Traversal vulnerability affecting the github.com/mholt/archiver Go library. This vulnerability allows attackers to potentially read arbitrary files on the system by crafting malicious ZIP archives. Versions of the library prior to 3.0.1 are vulnerable, and upgrading to the patched version is the recommended remediation.
The core of this vulnerability lies in the library's handling of ZIP file extraction. A specially crafted ZIP archive can contain file paths that, when extracted, write files outside of the intended directory. This allows an attacker to read sensitive files, potentially including configuration files, source code, or even system files, depending on the server's permissions and the application's context. The blast radius is directly tied to the permissions of the user running the application using the mholt/archiver library. If the application runs with elevated privileges, the attacker could gain access to a wider range of system resources. This vulnerability shares similarities with other path traversal exploits where attackers leverage file system navigation to bypass security controls.
CVE-2025-3445 was publicly disclosed on 2025-08-05. There is no indication of this vulnerability being actively exploited at the time of writing. The EPSS score is currently pending evaluation. No public proof-of-concept exploits have been released, but the vulnerability's nature makes it likely that such exploits will emerge. It is not listed on the CISA KEV catalog.
Applications and services that utilize the github.com/mholt/archiver Go library to process ZIP files are at risk. This includes applications that handle user-uploaded ZIP files or process ZIP archives from external sources. Go developers integrating this library into their projects should prioritize upgrading.
• go / supply-chain: Inspect dependencies for vulnerable versions of github.com/mholt/archiver. Use go list -m all and filter for versions < 3.0.1.
go list -m all | grep github.com/mholt/archiver | grep "< 3.0.1"• generic web: Monitor web server access logs for requests containing suspicious ZIP file uploads with path traversal sequences (e.g., ../../../../etc/passwd).
• generic web: Check for directory listings enabled on the server that could expose ZIP files.
disclosure
Exploit-Status
EPSS
0.67% (71% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-3445 is to upgrade to version 3.0.1 of the github.com/mholt/archiver library. If upgrading is not immediately feasible, consider implementing strict input validation on ZIP files before processing them. This should include validating the file extension and sanitizing file paths within the archive to prevent traversal attempts (e.g., removing or rejecting paths containing '..' or absolute paths). Web application firewalls (WAFs) can be configured to detect and block requests containing suspicious ZIP file content. Monitor application logs for unusual file access patterns or errors related to ZIP file extraction. After upgrading, verify the fix by attempting to extract a known malicious ZIP file and confirming that it fails to write outside the intended directory.
Actualice a una versión de la librería mholt/archiver que no sea vulnerable. Considere migrar a mholt/archives, el sucesor de mholt/archiver, que ha eliminado la funcionalidad Unarchive(). Si no es posible actualizar, evite usar la función archiver.Unarchive() con archivos ZIP provenientes de fuentes no confiables.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3445 is a Path Traversal vulnerability in the github.com/mholt/archiver Go library, allowing attackers to read arbitrary files via crafted ZIP files.
You are affected if you are using a version of github.com/mholt/archiver prior to 3.0.1 and process ZIP files.
Upgrade the github.com/mholt/archiver library to version 3.0.1 or later. Implement input validation on ZIP file contents as a temporary workaround.
There is currently no confirmed active exploitation, but public proof-of-concept code is expected.
Refer to the GitHub repository for updates and advisories: https://github.com/mholt/archiver
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.