GHSA-j95m-rcjp-q69h – github.com/jaredallard/archives

Package

Manager: go
Name: github.com/jaredallard/archives
Vulnerable Version: >=0 <1.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

github.com/jaredallard/archives Has Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ### Impact A malicious user could feed a specially crafted archive to this library causing RCE, modification of files or other bad things in the context of whatever user is running this library as, through the program that imports it. The severity highly depends on the user's permissions and environment it is being ran in (e.g., non root, read only root container would likely have no impact vs running something as root on a production system). The severity is also dependent on **arbitrary archives** being passed or not. Based on the above, severity high was picked to be safe. ### Patches Patched with the help of snyk and gosec in v1.0.1 ### Workarounds The only workaround is to manually validate archives before submitting them to this library, however that is not recommended vs upgrading to unaffected versions. ### References https://security.snyk.io/research/zip-slip-vulnerability

Metadata

Created: 2025-03-28T14:45:59Z
Modified: 2025-03-28T14:45:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-j95m-rcjp-q69h/GHSA-j95m-rcjp-q69h.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1