Path traversal in github.com/artdarek/go-unzip
Description
Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-36560: Zip Slip vulnerability in Go archive extraction due to improper path sanitization, allowing arbitrary file write outside target directory.
Vulnerability
Overview CVE-2020-36560 is a Zip Slip vulnerability affecting archive extraction code, including the go-unzip package. Due to improper path sanitization, archives containing relative file paths (e.g., ../../evil.sh) can cause files to be written or overwritten outside the intended target directory [1][2]. This is a classic directory traversal issue that has been prevalent in many ecosystems, especially Java, but also affects Go libraries [2].
Attack
Vector and Exploitation An attacker crafts a malicious archive with filenames that include directory traversal sequences (e.g., ../). When a vulnerable application extracts this archive without validating the extracted paths, files are written to arbitrary locations on the filesystem [2]. No authentication is required if the attacker can deliver the archive to the extraction functionality (e.g., via file upload, email attachment, or network service). The vulnerability can be exploited on both client and server systems [2].
Impact
Successful exploitation allows an attacker to overwrite executable files, configuration files, or other sensitive resources, potentially leading to remote code execution (RCE) or system compromise [2]. The specific impact depends on the permissions of the extracting process; for example, if the process runs with high privileges, the attacker could overwrite system binaries.
Mitigation
Patches are available for affected libraries. The official Go vulnerability database (GO-2020-0034) lists the issue, and the go-unzip package has been fixed [3][4]. Users should update to the latest version of any affected archive extraction library and ensure that extraction code sanitizes or rejects absolute paths and path traversal sequences. Additionally, performing extraction in a sandboxed environment can mitigate damage.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/artdarek/go-unzipGo | < 2.0.0 | 2.0.0 |
Affected products
3- github.com/artdarek/go-unzip/github.com/artdarek/go-unzipv5Range: 0
Patches
21 file changed · +1 −1
README.md+1 −1 modified@@ -14,7 +14,7 @@ go get -u github.com/artdarek/go-unzip package main import ( - "github.com/artdarek/go-unzip" + "github.com/artdarek/go-unzip" "fmt" )
4975cbe0a719Merge pull request #2 from snoopysecurity/fix/santize-filename-paths
1 file changed · +4 −0
unzip.go+4 −0 modified@@ -6,6 +6,7 @@ import ( "path/filepath" "io" "fmt" + "strings" ) type Unzip struct { @@ -46,6 +47,9 @@ func (uz Unzip) Extract() error { }() path := filepath.Join(uz.Dest, f.Name) + if !strings.HasPrefix(path, filepath.Clean(uz.Dest)+string(os.PathSeparator)) { + return fmt.Errorf("%s: Illegal file path", path) + } if f.FileInfo().IsDir() { os.MkdirAll(path, f.Mode())
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rmj9-q58g-9qggghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36560ghsaADVISORY
- github.com/artdarek/go-unzip/commit/4975cbe0a719dc50b12da8585f1f207c82f7dfe0ghsaWEB
- github.com/artdarek/go-unzip/pull/2ghsaWEB
- pkg.go.dev/vuln/GO-2020-0034ghsaWEB
- snyk.io/research/zip-slip-vulnerabilityghsaWEB
News mentions
0No linked articles in our index yet.