CVE-2025-64346 – CVE-2025-64346 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-64346?

CVE-2025-64346 has a CVSS score of N/A (Unknown). CVE-2025-64346 is a path traversal vulnerability in the archives Go library that allows attackers to achieve remote code execution or file modification by providing specially crafted archive files. This affects any application using archives library version 1.0.0 to extract untrusted archive files. The impact severity depends on the permissions of the process using the library.

📋 TL;DR

CVE-2025-64346 is a path traversal vulnerability in the archives Go library that allows attackers to achieve remote code execution or file modification by providing specially crafted archive files. This affects any application using archives library version 1.0.0 to extract untrusted archive files. The impact severity depends on the permissions of the process using the library.

💻 Affected Systems

Products:

archives Go library

Versions: Version 1.0.0 only

Operating Systems: All operating systems where Go applications run

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the archives library to extract untrusted archive files. Applications that only process trusted archives are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution as the user running the vulnerable application, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

File system manipulation including arbitrary file read/write, directory traversal, and potential privilege escalation depending on application context.

🟢

If Mitigated

Limited impact if only trusted archives are processed or if the application runs with minimal permissions in a sandboxed environment.

🌐 Internet-Facing: HIGH if the application processes user-uploaded archives from the internet without proper validation.

🏢 Internal Only: MEDIUM if internal users can submit archives to vulnerable applications, but lower if archive sources are controlled.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to provide a malicious archive file to a vulnerable application. No authentication is needed if the application accepts arbitrary archives.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1

Vendor Advisory: https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h

Restart Required: No

Instructions:

1. Update go.mod to require archives v1.0.1 or later. 2. Run 'go get github.com/jaredallard/archives@v1.0.1'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate archive files before processing, reject archives with suspicious paths or symlinks

Sandbox execution

all

Run archive extraction in a container or sandbox with restricted filesystem access

🧯 If You Can't Patch

Implement strict input validation to only accept archives from trusted sources
Run the application with minimal privileges and in a chroot/jail environment

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for archives dependency version 1.0.0

Check Version:

grep 'github.com/jaredallard/archives' go.mod

Verify Fix Applied:

Verify archives version is 1.0.1 or later in go.mod and that the application rebuilds successfully

📡 Detection & Monitoring

Log Indicators:

Unexpected file operations during archive extraction
Errors from archive library about invalid paths

Network Indicators:

Large or unusual archive uploads to applications

SIEM Query:

Process execution from archive extraction directory OR File modification in unexpected locations following archive upload

📊 Metadata

CVE ID: CVE-2025-64346

CVSS v3 Score: N/A (Unknown)

CWE: CWE-22

EPSS Score: 0.08% exploit probability (22.6th percentile)

Published: November 7, 2025

Last Updated: November 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64346, you might also want to check these: