1. Overview

A high‑severity path traversal vulnerability — CVE‑2025‑3445 — has been identified in the widely used mholt/archiver Go library's Unarchive() function. It allows crafted ZIPs containing traversal symlinks to overwrite files with the privileges of the running application.

• CVSS v3.1: 8.1 (High Severity) — Network‑accessible, moderate complexity, no privileges needed, scoped change, partial integrity and low availability impact. CVE+15NVD+15Red Hat Customer Portal+15

• Component: archiver.Unarchive() — affected in versions v3.0.0 through v3.5.1 research.jfrog.com+1

• Risk: Arbitrary file overwrite, possible code execution, privilege escalation — especially harmful in CI pipelines, microservices, and DevOps environments.

2. Technical Breakdown

• Vulnerability Type: Path Traversal (Zip Slip)

• Root Cause: Lack of path sanitization while unarchiving—ZIP entry names with ../../ or symlink indicators get expanded directly into system paths.

• Attack Vector:

  1. Attacker crafts a ZIP containing symlinked entries targeting higher‑level directories.

  2. Victim runs Unarchive() without validation.

  3. Malicious entries overwrite key files—like /etc/passwd, application configs, or init scripts. Potentially results in arbitrary file writes or execution. CVE+12research.jfrog.com+12NVD+12GitHub+1GitHub+1Medium

• MITRE ATT&CK Mapping:

  • T1203 — Exploitation for Client Execution

  • T1068 — Exploitation for Privilege Escalation

  • T1550.003 — Use of Authentication Tokens (if config creds are overwritten)

3. Adversary Impact

• Initial Access: Malicious ZIPs via deployments, package ingestion, CI pipelines.

• Execution: Attacker can overwrite system binaries or inject malicious files into service paths.

• Persistence: File replacement or seed files for later execution.

• Impact:

  • Code execution on CI runners or build servers

  • Overwriting configuration or secret files

  • Supply‑chain compromise in DevOps pipelines

4. Hunting & Detection

IOCs

• Unexpected files outside the intended extraction directory.

• Crash logs showing failures accessing protected paths.

• New or modified system files immediately post-extraction.

Sample Hunting Query (SIEM)

index=unarchive_logs
| where event="unarchive" AND file_path NOT LIKE "/expected_dir/%"
| table timestamp, file_name, file_path, user

5. Mitigation & Remediation

• Immediate Fix: Migrate to the updated and maintained library, mholt/archives, which removes Unarchive() support entirely. VulnFix+1research.jfrog.com+2NVD+2

• Hardening Practices:

  • Validate ZIP entry paths to ensure they remain within the destination path (via canonical path checks)

  • Run unarchiving in isolated container/jail/sandbox

  • Use a path-validation helper function:

    fpath := filepath.Join(dest, entry.Name)
    if !strings.HasPrefix(filepath.Clean(fpath), filepath.Clean(dest)+string(os.PathSeparator)) { 
        return fmt.Errorf("illegal file path: %s", entry.Name)
    }
    

• Pipeline Controls:

  • SAST integration to flag vulnerable use of archiver.Unarchive()

  • Block external ZIP uploads or scan them pre-unpack

6. Strategic Insight

This vulnerability shows how a widely-used Go utility can become a catastrophe in CI/CD or microservice environments. Zip Slip isn’t extinct—in fact, it's still thriving in "trusted" code. The only way forward is to sanitize, sandbox, and remove risky archive handlers entirely.

#CyberDudeBivash #ThreatWire #CVE20253445 #ZipSlip #GoLangSecurity #PathTraversal #DevSecOps #ThreatHunting #IncidentResponse