Mholt/archiver: path traversal vulnerability
Description
A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-0406: mholt/archiver tar unpacking allows arbitrary file write via path traversal.
Vulnerability
Overview CVE-2024-0406 is a path traversal vulnerability in the mholt/archiver Go package. The flaw occurs when the library extracts tar archives: it does not properly validate file paths, allowing an attacker to craft a tar archive with entries that escape the intended extraction directory [2][3]. This can lead to arbitrary file creation or overwriting with the privileges of the user or application using the library.
Attack
Vector An attacker must deliver a specially crafted tar file to a user or application that uses the mholt/archiver package to extract archives. No authentication is required for exploitation if the target voluntarily opens the archive. The attack does not require any special network position beyond the ability to provide the malicious archive [1].
Impact
Successful exploitation can result in overwriting critical system files, creating files in restricted directories, or achieving code execution through overwriting executables or configuration files. The impact depends on the privileges of the process using the library [2].
Mitigation
The mholt/archiver package is deprecated and no longer maintained. Users should migrate to the successor package mholt/archives, which has an improved API and security fixes [4]. Red Hat has released an advisory (RHSA-2025:2449) for affected products [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mholt/archiver/v3Go | >= 3.0.0, <= 3.5.1 | — |
github.com/mholt/archiverGo | >= 3.0.0, <= 3.5.1 | — |
Affected products
88- osv-coords87 versionspkg:apk/chainguard/chainctlpkg:apk/chainguard/datadog-agentpkg:apk/chainguard/datadog-agent-core-integrationspkg:apk/chainguard/datadog-agent-core-integrations-fipspkg:apk/chainguard/datadog-agent-fakeintakepkg:apk/chainguard/datadog-agent-fakeintake-fipspkg:apk/chainguard/datadog-agent-fipspkg:apk/chainguard/datadog-agent-jmxpkg:apk/chainguard/datadog-agent-jmx-fipspkg:apk/chainguard/datadog-agent-oci-compatpkg:apk/chainguard/datadog-agent-oci-compat-fipspkg:apk/chainguard/datadog-agent-s6-overlaypkg:apk/chainguard/datadog-agent-s6-overlay-fipspkg:apk/chainguard/datadog-cluster-agentpkg:apk/chainguard/datadog-cluster-agent-fipspkg:apk/chainguard/datadog-cluster-agent-oci-compatpkg:apk/chainguard/datadog-cluster-agent-oci-compat-fipspkg:apk/chainguard/docker-credential-cgrpkg:apk/chainguard/dogstatsdpkg:apk/chainguard/filebrowserpkg:apk/chainguard/gotenbergpkg:apk/chainguard/k9spkg:apk/chainguard/kotspkg:apk/chainguard/kubescapepkg:apk/chainguard/mattermost-10.0pkg:apk/chainguard/mattermost-10.0-compatpkg:apk/chainguard/mattermost-10.1pkg:apk/chainguard/mattermost-10.1-compatpkg:apk/chainguard/mattermost-10.2pkg:apk/chainguard/mattermost-10.2-compatpkg:apk/chainguard/mattermost-10.3pkg:apk/chainguard/mattermost-10.3-compatpkg:apk/chainguard/mattermost-10.4pkg:apk/chainguard/mattermost-10.4-compatpkg:apk/chainguard/mattermost-10.7pkg:apk/chainguard/mattermost-10.7-compatpkg:apk/chainguard/mattermost-10.9pkg:apk/chainguard/mattermost-10.9-compatpkg:apk/chainguard/mattermost-9.11pkg:apk/chainguard/mattermost-fips-10.9pkg:apk/chainguard/mattermost-fips-10.9-compatpkg:apk/chainguard/nucleipkg:apk/chainguard/openbaopkg:apk/chainguard/openbao-compatpkg:apk/chainguard/openbao-fipspkg:apk/chainguard/terragruntpkg:apk/chainguard/terragrunt-docspkg:apk/chainguard/vault-1.16pkg:apk/chainguard/vault-fips-1.14pkg:apk/chainguard/vault-fips-1.14-compatpkg:apk/chainguard/wolfictlpkg:apk/chainguard/zarfpkg:apk/wolfi/datadog-agentpkg:apk/wolfi/datadog-agent-core-integrationspkg:apk/wolfi/datadog-agent-fakeintakepkg:apk/wolfi/datadog-agent-jmxpkg:apk/wolfi/datadog-agent-oci-compatpkg:apk/wolfi/datadog-agent-s6-overlaypkg:apk/wolfi/datadog-cluster-agentpkg:apk/wolfi/datadog-cluster-agent-oci-compatpkg:apk/wolfi/dogstatsdpkg:apk/wolfi/filebrowserpkg:apk/wolfi/k9spkg:apk/wolfi/kotspkg:apk/wolfi/kubescapepkg:apk/wolfi/mattermost-10.0pkg:apk/wolfi/mattermost-10.0-compatpkg:apk/wolfi/mattermost-10.1pkg:apk/wolfi/mattermost-10.1-compatpkg:apk/wolfi/mattermost-10.2pkg:apk/wolfi/mattermost-10.2-compatpkg:apk/wolfi/mattermost-10.3pkg:apk/wolfi/mattermost-10.3-compatpkg:apk/wolfi/mattermost-10.4pkg:apk/wolfi/mattermost-10.4-compatpkg:apk/wolfi/mattermost-10.7pkg:apk/wolfi/mattermost-10.9pkg:apk/wolfi/mattermost-10.9-compatpkg:apk/wolfi/nucleipkg:apk/wolfi/openbaopkg:apk/wolfi/openbao-compatpkg:apk/wolfi/terragruntpkg:apk/wolfi/terragrunt-docspkg:apk/wolfi/wolfictlpkg:apk/wolfi/zarfpkg:golang/github.com/mholt/archiverpkg:golang/github.com/mholt/archiver/v3
< 0.2.59-r0+ 86 more
- (no CPE)range: < 0.2.59-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.54.0-r0
- (no CPE)range: < 0.2.59-r0
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 2.45.0-r0
- (no CPE)range: < 8.5.0-r0
- (no CPE)range: < 0.32.4-r3
- (no CPE)range: < 1.128.3-r0
- (no CPE)range: < 3.0.10-r0
- (no CPE)range: < 10.0.4-r3
- (no CPE)range: < 10.0.4-r3
- (no CPE)range: < 10.1.6-r1
- (no CPE)range: < 10.1.6-r1
- (no CPE)range: < 10.2.1-r4
- (no CPE)range: < 10.2.1-r4
- (no CPE)range: < 10.3.1-r1
- (no CPE)range: < 10.3.1-r1
- (no CPE)range: < 10.4.2-r0
- (no CPE)range: < 10.4.2-r0
- (no CPE)range: < 10.7.3-r1
- (no CPE)range: < 10.7.3-r1
- (no CPE)range: < 10.9.2-r1
- (no CPE)range: < 10.9.2-r1
- (no CPE)range: < 9.11.18-r4
- (no CPE)range: < 10.9.2-r1
- (no CPE)range: < 10.9.2-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.64.0-r0
- (no CPE)range: < 0.64.0-r0
- (no CPE)range: < 1.16.3-r37
- (no CPE)range: < 1.14.11-r2
- (no CPE)range: < 1.14.11-r2
- (no CPE)range: < 0.16.6-r1
- (no CPE)range: < 0.33.1-r1
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 7.52.1-r2
- (no CPE)range: < 2.45.0-r0
- (no CPE)range: < 0.32.4-r3
- (no CPE)range: < 1.128.3-r0
- (no CPE)range: < 3.0.10-r0
- (no CPE)range: < 10.0.4-r3
- (no CPE)range: < 10.0.4-r3
- (no CPE)range: < 10.1.6-r1
- (no CPE)range: < 10.1.6-r1
- (no CPE)range: < 10.2.1-r4
- (no CPE)range: < 10.2.1-r4
- (no CPE)range: < 10.3.1-r1
- (no CPE)range: < 10.3.1-r1
- (no CPE)range: < 10.4.2-r0
- (no CPE)range: < 10.4.2-r0
- (no CPE)range: < 10.7.4-r5
- (no CPE)range: < 10.9.2-r1
- (no CPE)range: < 10.9.2-r1
- (no CPE)range: < 3.2.5-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.64.0-r0
- (no CPE)range: < 0.64.0-r0
- (no CPE)range: < 0.16.6-r1
- (no CPE)range: < 0.33.1-r1
- (no CPE)range: >= 3.0.0, <= 3.5.1
- (no CPE)range: >= 3.0.0, <= 3.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- access.redhat.com/errata/RHSA-2025:2449ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-rhh4-rh7c-7r5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-0406ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-0406ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- pkg.go.dev/vuln/GO-2024-2698ghsaWEB
News mentions
0No linked articles in our index yet.