CVE-2025-3445
📋 TL;DR
A path traversal vulnerability in mholt/archiver Go library allows attackers to create or overwrite arbitrary files by exploiting symlinks in crafted ZIP archives. Applications using archiver.Unarchive() with ZIP files are vulnerable, potentially leading to privilege escalation or code execution. The library has been deprecated in favor of mholt/archives.
💻 Affected Systems
- mholt/archiver Go library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary file overwrite leading to privilege escalation, remote code execution, or complete data loss.
Likely Case
Local file overwrite leading to data corruption, denial of service, or limited privilege escalation depending on application context.
If Mitigated
Contained file system damage limited to application's directory if proper sandboxing and privilege separation are implemented.
🎯 Exploit Status
Exploitation requires ability to supply malicious ZIP files to vulnerable application. Similar TAR vulnerability was previously weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A - Project deprecated
Vendor Advisory: https://github.com/mholt/archiver/
Restart Required: No
Instructions:
Migrate to mholt/archives v0.1.0+ which removes vulnerable Unarchive() functionality. For existing code, implement input validation and sanitization.
🔧 Temporary Workarounds
Input Validation and Sanitization
allValidate and sanitize ZIP file entries before extraction to prevent path traversal
Implement custom ZIP extraction with path validation: if strings.Contains(entry.Name, "..") || strings.HasPrefix(entry.Name, "/") { return error }
Sandbox Extraction
linuxExtract ZIP files to isolated directories with restricted permissions
Use chroot/jail or containerized environments for extraction
Set restrictive file permissions on extraction directory
🧯 If You Can't Patch
- Implement strict input validation rejecting ZIP files with symlinks or path traversal attempts
- Run vulnerable application with minimal privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check Go.mod for mholt/archiver dependency and search codebase for archiver.Unarchive() calls with ZIP filesCheck Version:
grep mholt/archiver go.mod && grep -r "archiver.Unarchive" .Verify Fix Applied:
Verify migration to mholt/archives v0.1.0+ or implementation of proper input validation in extraction logic📡 Detection & Monitoring
Log Indicators:
- Failed file extraction attempts
- Permission denied errors for unexpected file paths
- ZIP extraction to system directories
Network Indicators:
- Large or unusual ZIP file uploads to vulnerable endpoints
SIEM Query:
source="application.logs" AND ("archiver.Unarchive" OR "ZIP extraction" OR "permission denied") AND (".." OR "/etc" OR "/root")