CVE-2024-24789 – This vulnerability in Go's archive/zip package ... (How to Fix)

Q: What is the severity of CVE-2024-24789?

CVE-2024-24789 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Go's archive/zip package allows attackers to create specially crafted ZIP files that behave differently depending on which ZIP implementation processes them. This could enable file content manipulation or confusion attacks. Affects any Go application that processes ZIP files from untrusted sources.

📋 TL;DR

This vulnerability in Go's archive/zip package allows attackers to create specially crafted ZIP files that behave differently depending on which ZIP implementation processes them. This could enable file content manipulation or confusion attacks. Affects any Go application that processes ZIP files from untrusted sources.

💻 Affected Systems

Products:

Go programming language
Applications using Go's archive/zip package

Versions: Go versions before 1.22.6 and 1.21.11

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that process ZIP files from untrusted sources. Applications that don't use archive/zip or only process trusted ZIP files are not vulnerable.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deliver malicious content disguised as legitimate files, potentially leading to data corruption, malware delivery, or bypassing security controls that rely on file validation.

🟠

Likely Case

File integrity issues where the same ZIP file yields different contents when processed by different systems, potentially causing application errors or data inconsistencies.

🟢

If Mitigated

Limited impact with proper input validation and file source verification in place.

🌐 Internet-Facing: MEDIUM - Applications accepting ZIP uploads from external users could be targeted, but exploitation requires specific conditions.

🏢 Internal Only: LOW - Internal systems processing trusted ZIP files have minimal exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific invalid ZIP files and targeting applications that process such files without proper validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.22.6 and Go 1.21.11

Vendor Advisory: https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ

Restart Required: Yes

Instructions:

1. Update Go to version 1.22.6 or 1.21.11. 2. Recompile all affected applications with the updated Go version. 3. Redeploy updated applications. 4. Restart services using the patched applications.

🔧 Temporary Workarounds

Input validation for ZIP files

all

Implement strict validation of ZIP files before processing, rejecting files with structural errors or anomalies.

Source verification

all

Only accept ZIP files from trusted, authenticated sources with integrity checks.

🧯 If You Can't Patch

Implement strict file upload validation and sanitization
Use alternative ZIP processing libraries with different validation logic

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is below 1.22.6 (for 1.22.x) or below 1.21.11 (for 1.21.x), the system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After updating, run 'go version' to confirm version is 1.22.6+ or 1.21.11+. Test with known problematic ZIP files to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple failed ZIP file processing attempts
Unexpected errors from archive/zip package
File validation failures for ZIP archives

Network Indicators:

Unusual ZIP file upload patterns
Multiple failed upload attempts of ZIP files

SIEM Query:

source="application_logs" AND ("archive/zip" OR "zip processing") AND (error OR failure OR invalid)

📊 Metadata

CVE ID: CVE-2024-24789

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Published: June 5, 2024

Last Updated: January 31, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/06/04/1 Mailing List
https://go.dev/cl/585397 Patch
https://go.dev/issue/66869 Issue Tracking,Patch
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
https://pkg.go.dev/vuln/GO-2024-2888 Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/06/04/1 Mailing List
https://go.dev/cl/585397 Patch
https://go.dev/issue/66869 Issue Tracking,Patch
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
https://pkg.go.dev/vuln/GO-2024-2888 Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0008/

📤 Share & Export

📄 Export Markdown 📋 Export JSON