Path Traversal Vulnerability in mholt/archiver by Go
CVE-2025-3445

8.1HIGH

Key Information:

Vendor: Github.com/mholt/archiver/v3
Status: Github.com/mholt/archiver/v3
Vendor: CVE Published:; 13 April 2025

Summary

A Path Traversal vulnerability in mholt/archiver allows attackers to exploit crafted ZIP files with symlinks. By utilizing the archiver.Unarchive functionality, an attacker can overwrite files on the system, potentially leading to sensitive data exposure, privilege escalation, and unauthorized code execution. The issue arises when ZIP files are extracted, enabling attackers to manipulate filesystem paths, compromising application integrity. Users are advised to transition to the newer mholt/archives, which eliminates the vulnerable functionality.

Affected Version(s)

github.com/mholt/archiver/v3 v3.0.0

References

https://github.com/mholt/archiver/

product

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 13, 2025
Vulnerability Reserved
Apr 8, 2025