GHSA-p799-q2pr-6mxj – go.rgst.io/stencil/v2

Package

Manager: go
Name: go.rgst.io/stencil/v2
Vulnerable Version: >=0 <2.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

go.rgst.io/stencil/v2 vulnerable to Path Traversal ### Impact The library used to extract archives (github.com/jaredallard/archives) was vulnerable to the "zip slip" vulnerability. This is used to extract native extension archives and repository source archives. A native extension or repository archive could be crafted in such a way where a remote code execution or modification/reading of a file is possible using the user who is running stencil. The severity is marked as "medium" because native extensions have always considered to be "unsafe" to run when not trusted. Native extensions are arbitrary code being ran, which could always do this same exploit with less steps. The medium severity is to reflect that this could be done even when a user is _not_ using a native extension, for example a repository source archive. However, one would need to mutate the archives provided by Github or perform some hackery with links, which may not be possible. Thus, "medium" is used out of an abundance of caution where I would've labeled this as "low". ### Patches Patched in 2.3.0 and above. ### Workarounds No workarounds are present. ### References https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h

Metadata

Created: 2025-03-29T00:08:44Z
Modified: 2025-03-29T00:08:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-p799-q2pr-6mxj/GHSA-p799-q2pr-6mxj.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1