CVE-2025-0377Link Following in Shared Library

CWE-59Link Following6 documents5 sources
Severity
9.1CRITICALNVD
CNA7.5
EPSS
0.5%
top 35.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Hashicorp Shared LibraryGithub.com Hashicorp Go-slugHashicorp Go-slug
Timeline
PublishedJan 21
Latest updateJan 28

Description

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDhashicorp/go-slug< 0.16.3
CVEListV5hashicorp/shared_library< 0.16.2

🔴Vulnerability Details

4
OSV
HashiCorp go-slug Vulnerable to Zip Slip Attack in github.com/hashicorp/go-slug2025-01-28
OSV
HashiCorp go-slug Vulnerable to Zip Slip Attack2025-01-21
CVEList
HashiCorp go-slug Vulnerable to Zip Slip Attack2025-01-21
GHSA
HashiCorp go-slug Vulnerable to Zip Slip Attack2025-01-21

📋Vendor Advisories

1
Red Hat
go-slug: HashiCorp go-slug Vulnerable to Zip Slip Attack2025-01-21
CVE-2025-0377 — Link Following in Shared Library | cvebase