CVE-2020-7664
📋 TL;DR
This vulnerability allows attackers to perform path traversal attacks when extracting malicious zip archives using the github.com/unknwon/cae/zip package. Attackers can write files anywhere on the filesystem by using '..' sequences in zip entry paths. Any Go application using this package for zip extraction is affected.
💻 Affected Systems
- Go applications using github.com/unknwon/cae/zip package
📦 What is this software?
Compression And Archive Extensions Zip Project by Compression And Archive Extensions Project
View all CVEs affecting Compression And Archive Extensions Zip Project →
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file write to sensitive locations like /etc/passwd, /root/.ssh/, or system binaries, potentially leading to remote code execution.
Likely Case
Arbitrary file overwrite or creation leading to data corruption, privilege escalation, or backdoor installation.
If Mitigated
Limited impact if application runs with minimal privileges and filesystem permissions restrict write access to sensitive areas.
🎯 Exploit Status
Exploitation is straightforward - create a zip archive with malicious file paths containing '..' sequences. Public proof-of-concept exists in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version of github.com/unknwon/cae/zip (v1.0.0 or later)
Vendor Advisory: https://github.com/unknwon/cae/security/advisories
Restart Required: No
Instructions:
1. Update go.mod to require latest version of github.com/unknwon/cae/zip
2. Run 'go mod tidy'
3. Rebuild and redeploy application
4. Test zip extraction functionality
🔧 Temporary Workarounds
Validate zip paths before extraction
allImplement custom validation to sanitize file paths in zip archives before calling ExtractTo
// Go code to validate paths
func validatePath(path string) bool {
return !strings.Contains(path, "..")
}
Use alternative zip library
allReplace github.com/unknwon/cae/zip with a secure alternative like archive/zip from Go standard library
go get -u archive/zip
🧯 If You Can't Patch
- Run application with minimal privileges (non-root user with restricted filesystem access)
- Implement input validation to reject zip files from untrusted sources or implement sandboxed extraction
🔍 How to Verify
Check if Vulnerable:
Check go.mod for github.com/unknwon/cae/zip dependency with version < 1.0.0Check Version:
grep 'github.com/unknwon/cae/zip' go.modVerify Fix Applied:
Verify go.mod requires github.com/unknwon/cae/zip v1.0.0 or later and test extraction with malicious zip containing '..' paths📡 Detection & Monitoring
Log Indicators:
- Unexpected file writes outside expected extraction directory
- Failed file operations due to permission errors in unusual locations
Network Indicators:
- Large or unusual zip file uploads to vulnerable endpoints
SIEM Query:
source="application.logs" AND ("ExtractTo" OR "zip extraction") AND ("permission denied" OR ".." in filepath)