HIGHCVE-2025-3445CVSS 8.1

CVE-2025-3445: Path Traversal in Archiver Go Library

Q: What is CVE-2025-3445 — Path Traversal in Archiver Go Library?

CVE-2025-3445 is a Path Traversal vulnerability in the `github.com/mholt/archiver` Go library, allowing attackers to read arbitrary files via crafted ZIP files.

Q: Am I affected by CVE-2025-3445 in Archiver Go Library?

You are affected if you are using a version of `github.com/mholt/archiver` prior to 3.0.1 and process ZIP files.

Q: How do I fix CVE-2025-3445 in Archiver Go Library?

Upgrade the `github.com/mholt/archiver` library to version 3.0.1 or later. Implement input validation on ZIP file contents as a temporary workaround.

Platform

go

Component

github.com/mholt/archiver

Fixed in

3.5.2

AI Confidence: highNVDEPSS 0.7%Reviewed: May 2026

View on NVD

Save

CVE-2025-3445 is a Path Traversal vulnerability affecting the github.com/mholt/archiver Go library. This vulnerability allows attackers to potentially read arbitrary files on the system by crafting malicious ZIP archives. Versions of the library prior to 3.0.1 are vulnerable, and upgrading to the patched version is the recommended remediation.

Impact and Attack Scenarios

An attacker exploiting this vulnerability can leverage a specially crafted ZIP file to navigate outside the intended directory structure and access sensitive files on the server. This could include configuration files, source code, or even system files, depending on the permissions of the process running the mholt/archiver library. The potential for data exfiltration and system compromise is significant. While direct remote code execution is unlikely, the ability to read arbitrary files could be a stepping stone for further attacks, such as privilege escalation or information disclosure.

Exploitation Context

CVE-2025-3445 was publicly disclosed on 2025-08-05. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is likely to emerge given the ease of exploiting path traversal vulnerabilities. Monitor security advisories and vulnerability tracking resources for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.67% (71% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentgithub.com/mholt/archiver

Vendorosv

Affected rangeFixed in

v3.0.0 – v3.5.13.5.2

3.5.13.5.2

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2025-04-08
Published2025-08-05
Modified2026-02-04
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-3445 is to upgrade the github.com/mholt/archiver library to version 3.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on ZIP file contents before processing them with the library. Specifically, rigorously validate the file paths extracted from the ZIP archive to ensure they remain within the expected directory. WAF rules can be implemented to block uploads of ZIP files with suspicious path traversal patterns (e.g., ../). After upgrading, confirm the fix by attempting to extract a malicious ZIP file containing path traversal sequences and verifying that access is denied.

How to fix

Actualice a una versión de la librería mholt/archiver que no sea vulnerable. Considere migrar a mholt/archives, el sucesor de mholt/archiver, que ha eliminado la funcionalidad Unarchive(). Si no es posible actualizar, evite usar la función archiver.Unarchive() con archivos ZIP provenientes de fuentes no confiables.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-3445 — Path Traversal in Archiver Go Library?

CVE-2025-3445 is a Path Traversal vulnerability in the github.com/mholt/archiver Go library, allowing attackers to read arbitrary files via crafted ZIP files.

Am I affected by CVE-2025-3445 in Archiver Go Library?

You are affected if you are using a version of github.com/mholt/archiver prior to 3.0.1 and process ZIP files.

How do I fix CVE-2025-3445 in Archiver Go Library?

Upgrade the github.com/mholt/archiver library to version 3.0.1 or later. Implement input validation on ZIP file contents as a temporary workaround.

Is CVE-2025-3445 being actively exploited?

There is currently no confirmed active exploitation, but public proof-of-concept code is expected.

Where can I find the official Archiver advisory for CVE-2025-3445?

Refer to the GitHub repository for updates and advisories: https://github.com/mholt/archiver

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Scan free

Search CVEs

Upload go.mod

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.