CVE-2025-0377
published 2025-01-21CVE-2025-0377: HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
PriorityP346critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.67%
47.3th percentile
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_go-slug | >= 0 < 0.16.3 | 0.16.3 |
| hashicorp | go-slug | < 0.16.3 | 0.16.3 |
| hashicorp | shared_library | < 0.16.2 | 0.16.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
HashiCorp go-slug Vulnerable to Zip Slip Attack in github.com/hashicorp/go-slug
osv·2025-01-28
CVE-2025-0377 HashiCorp go-slug Vulnerable to Zip Slip Attack in github.com/hashicorp/go-slug
HashiCorp go-slug Vulnerable to Zip Slip Attack in github.com/hashicorp/go-slug
HashiCorp go-slug Vulnerable to Zip Slip Attack in github.com/hashicorp/go-slug
OSV
HashiCorp go-slug Vulnerable to Zip Slip Attack
osv·2025-01-21·CVSS 9.1
CVE-2025-0377 [CRITICAL] HashiCorp go-slug Vulnerable to Zip Slip Attack
HashiCorp go-slug Vulnerable to Zip Slip Attack
## Summary
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.
## Background
HashiCorp’s go-slug shared library offers functions for packing and unpacking Terraform Enterprise compatible slugs. Slugs are gzip compressed tar files containing Terraform configuration files.
## Details
When go-slug performs an extraction, the filename/extraction path is taken from the tar entry via the header.Name. It was discovered that the unpacking step improperly validated paths, potentially leading to path traversal, allowing an attacker to write an arbitrary file during extraction.
## Remed
GHSA
HashiCorp go-slug Vulnerable to Zip Slip Attack
ghsa·2025-01-21·CVSS 9.1
CVE-2025-0377 [CRITICAL] CWE-59 HashiCorp go-slug Vulnerable to Zip Slip Attack
HashiCorp go-slug Vulnerable to Zip Slip Attack
## Summary
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.
## Background
HashiCorp’s go-slug shared library offers functions for packing and unpacking Terraform Enterprise compatible slugs. Slugs are gzip compressed tar files containing Terraform configuration files.
## Details
When go-slug performs an extraction, the filename/extraction path is taken from the tar entry via the header.Name. It was discovered that the unpacking step improperly validated paths, potentially leading to path traversal, allowing an attacker to write an arbitrary file during extraction.
## Remed
Red Hat
go-slug: HashiCorp go-slug Vulnerable to Zip Slip Attack
vendor_redhat·2025-01-21·CVSS 7.5
CVE-2025-0377 [HIGH] CWE-59 go-slug: HashiCorp go-slug Vulnerable to Zip Slip Attack
go-slug: HashiCorp go-slug Vulnerable to Zip Slip Attack
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
An archive extraction vulnerability was found in HashiCorp's go-slug library. When go-slug performs an extraction, the filename/extraction path is taken from the tar entry via the `header.Name`. It was discovered that the unpacking step improperly validated paths, potentially leading to path traversal and allowing an attacker to write an arbitrary file during extraction.
Statement: None of the Red Hat offerings are affected by this vulnerability.
This issue has an impact over the integrity of the system as can write and over-write arbitrary files on the system where these files are extracted.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-21
Published