Login Sign Up

CVE-2025-0377

7.5 HIGH
Path Traversal

📋 TL;DR

HashiCorp's go-slug library is vulnerable to a zip-slip attack when extracting tar archives with non-existing user-provided paths. This allows attackers to write arbitrary files outside the intended extraction directory, potentially leading to remote code execution. Any application using go-slug to process untrusted tar archives is affected.

💻 Affected Systems

Products:
  • HashiCorp go-slug
Versions: All versions before v0.14.0
Operating Systems: All platforms where go-slug is used
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when processing tar archives with non-existing user-provided paths. Applications using go-slug for archive extraction are affected.

📦 What is this software?

Go Slug by Hashicorp

View all CVEs affecting Go Slug →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application processing the tar archive, allowing complete system compromise.

🟠

Likely Case

Arbitrary file write to sensitive locations, potentially leading to privilege escalation, data corruption, or denial of service.

🟢

If Mitigated

Limited impact if proper sandboxing, file permission restrictions, and input validation are in place.

🌐 Internet-Facing: HIGH if the application processes user-uploaded tar archives from untrusted sources.
🏢 Internal Only: MEDIUM if only internal users can upload archives, but still significant due to potential lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires the ability to upload or provide a malicious tar archive to an application using go-slug. No public exploit code is available yet.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.14.0

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack

Restart Required: No

Instructions:

1. Update go-slug dependency to v0.14.0 or later. 2. Run 'go get github.com/hashicorp/go-slug@v0.14.0'. 3. Rebuild and redeploy affected applications.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize tar archive entries before extraction, rejecting paths with directory traversal sequences.

Sandbox extraction

all

Extract archives in a sandboxed environment with restricted filesystem access.

🧯 If You Can't Patch

  • Disable tar archive processing from untrusted sources
  • Implement strict file permission controls and monitor for suspicious file writes

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for go-slug version. If version is <0.14.0, the system is vulnerable.

Check Version:

grep 'hashicorp/go-slug' go.mod || grep 'hashicorp/go-slug' go.sum

Verify Fix Applied:

Verify go-slug version is >=0.14.0 in go.mod/go.sum and rebuild the application.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file writes outside extraction directory
  • Failed tar extraction attempts with suspicious paths

Network Indicators:

  • Large or unusual tar archive uploads to affected services

SIEM Query:

source="application_logs" AND ("tar extraction failed" OR "path traversal" OR "go-slug")

📊 Metadata

CVE ID: CVE-2025-0377
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-59
EPSS Score: 0.11% exploit probability (29.6th percentile)
Published: January 21, 2025
Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0377, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)