Path Traversal "Zip Slip" Vulnerability in mholt/archiver (Go)

Overview 

A critical Path Traversal ("Zip Slip") vulnerability (CVE-2025-3445) has been discovered in the mholt/archiver library for Go. This flaw allows an attacker to craft a malicious ZIP file containing path traversal symlinks, enabling arbitrary file creation or overwrite on the target system with the same privileges as the application using the library.

The vulnerability stems from insufficient validation when extracting ZIP archives using archiver.Unarchive(). A similar issue was previously identified in TAR files (CVE-2024-0406), but despite a fix, no official release was made before the project was deprecated. The successor, mholt/archives (v0.1.0), removes the vulnerable Unarchive() functionality entirely.

Technical Details

• Affected Function: archiver.Unarchive(zipFile, outputDir)

• Impact: Arbitrary file write, privilege escalation, remote code execution (RCE)

• Base Score: 8.1 (HIGH)

• Published Date: April 13, 2025

How the Exploit Works

When a malicious ZIP file is processed, an attacker can embed entries with relative paths (e.g., ../../malicious.sh). If the extraction process does not properly sanitize these paths, files can be written outside the intended directory (outputDir), leading to:

• Overwriting system files (e.g., /etc/passwd, .bashrc).

• Planting backdoors in executable paths.

• Escalating privileges if the application runs with elevated permissions.

Sample Attack Scenario

1. Attacker Crafts a Malicious ZIP File

   • A ZIP file is created with an entry named ../../../tmp/evil.sh.

   • The file contains a reverse shell payload or a script that modifies critical system files.

2. Victim Extracts the ZIP File

   • The vulnerable Go application uses archiver.Unarchive() to extract user-uploaded ZIP files.

   • Due to improper path sanitization, evil.sh is written to /tmp/ instead of the intended directory.

3. Exploitation

   • If the victim (or a scheduled task) executes /tmp/evil.sh, the attacker gains control.

   • Alternatively, overwriting .profile or .bashrc can lead to persistence.

Vulnerable Code Example

go

Copy

package main

import (
	"github.com/mholt/archiver/v3"
)

func main() {
	err := archiver.Unarchive("malicious.zip", "./safe_dir")
	if err != nil {
		panic(err)
	}
}

If malicious.zip contains ../../etc/cron.d/backdoor, the file is written to /etc/cron.d/ instead of ./safe_dir.

Mitigation & Fixes

1. Immediate Workaround

   • Avoid using archiver.Unarchive() for untrusted ZIP files.

   • Manually validate file paths before extraction:

     go

     Copy

     if strings.Contains(filePath, "..") || strings.HasPrefix(filePath, "/") {
         return errors.New("illegal path traversal detected")
     }

2. Upgrade to mholt/archives (v0.1.0 or later)

   • The new library removes Unarchive() and enforces safer extraction methods.

3. Alternative Libraries

   • Use secure alternatives like archive/zip (Go’s standard library) with strict path checks.

Conclusion

CVE-2025-3445 poses a significant risk to applications using mholt/archiver for ZIP extraction. Developers should immediately:

• Stop using archiver.Unarchive() for untrusted archives.

• Migrate to mholt/archives or implement strict path validation.

• Audit logs for suspicious file writes in sensitive directories.

Failure to patch this vulnerability could lead to full system compromise in affected environments.

---

References:

• https://nvd.nist.gov/