This vulnerability in jaredallard/archives allows path traversal attacks through malicious archive files. When processing ZIP or other archive formats, the library fails to properly sanitize file paths, enabling attackers to write files outside the intended extraction directory. By crafting entries with “../” sequences or absolute paths, an attacker can overwrite critical system files or plant malicious executables. The impact ranges from file modification to remote code execution depending on the process privileges.
The vulnerability occurs during archive extraction when the library:
1. Accepts user-supplied archive files
2. Processes archive entries without path normalization
3. Extracts files using raw entry names
4. Fails to validate final extraction paths
Attackers exploit this by:
1. Creating archives with specially crafted paths
2. Delivering them to target systems
3. Triggering extraction with elevated privileges
DailyCVE Form:
Platform: GitHub.com
Version: <1.0.1
Vulnerability: Path Traversal
Severity: Moderate
Date: 2025-03-28
What Undercode Say:
Exploit simulation (educational only) mkdir -p malicious/../system zip -r exploit.zip malicious/../system/config
// Vulnerable code example
func extractFile(dest string, file zip.File) error {
path := filepath.Join(dest, file.Name) // Unsafe join
return os.WriteFile(path, data, file.Mode())
}
// Secure patched version
func safeExtract(dest string, file zip.File) error {
path := filepath.Join(dest, file.Name)
if !strings.HasPrefix(filepath.Clean(path), dest) {
return errors.New("path traversal attempt")
}
return os.WriteFile(path, data, file.Mode())
}
Detection command grep -r "filepath.Join.zip.File" /path/to/code
Snyk policy example version: v1.22.0 ignore: CVE-2025-XXXX: - ' > 1.0.0'
Protection in containers FROM alpine RUN apk add --no-cache zip && \ rm -rf /var/cache/apk/ COPY --chown=nobody:nobody app /app USER nobody
Upgrade command go get github.com/jaredallard/[email protected]
Exploit detection script
import zipfile
def check_zip(path):
with zipfile.ZipFile(path) as z:
for f in z.namelist():
if '../' in f or f.startswith('/'):
return True
return False
References:
Reported By: https://github.com/advisories/GHSA-j95m-rcjp-q69h
Extra Source Hub:
Undercode
