HashiCorp go-slug Vulnerable to Zip Slip Attack
Description
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HashiCorp's go-slug library before 0.16.3 is vulnerable to a zip-slip style path traversal when extracting tar entries, allowing arbitrary file writes.
Root
Cause The vulnerability resides in how go-slug handles tar entry extraction. When unpacking a gzip-compressed tar (slug), the library uses header.Name from the tar entry as the destination path without proper validation. If the tar entry specifies a non-existing path containing directory traversal sequences, the extraction does not safely resolve it, leading to a zip-slip style attack [1][2].
Exploitation
Prerequisites An attacker must supply a maliciously crafted tar archive that includes tar entries with path traversal prefixes (e.g., ../../). The target application must use the go-slug library to extract user-supplied slugs. No additional authentication is required if the application processes untrusted archives. The attack is performed by including a tar entry whose name points to a non-existing parent directory, allowing the traversal check to be bypassed [2].
Impact
Successful exploitation allows an attacker to write arbitrary files at arbitrary locations within the file system where the extraction process has write permissions. This could lead to overwriting critical system files, injecting malicious executables, or modifying application configuration, potentially resulting in code execution or privilege escalation [1][2].
Mitigation
The vulnerability is fixed in go-slug version 0.16.3. Users should upgrade to this version or later. There is no known workaround; the fix improves path validation during extraction to prevent traversal. HashiCorp has credited their Product Security team for discovering the issue [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/go-slugGo | < 0.16.3 | 0.16.3 |
Affected products
64- osv-coords62 versionspkg:apk/chainguard/opentofu-1.6pkg:apk/chainguard/opentofu-1.6-compatpkg:apk/chainguard/opentofu-1.6-local-provider-configpkg:apk/chainguard/opentofu-1.7pkg:apk/chainguard/opentofu-1.7-compatpkg:apk/chainguard/opentofu-1.7-local-provider-configpkg:apk/chainguard/opentofu-1.8pkg:apk/chainguard/opentofu-1.8-compatpkg:apk/chainguard/opentofu-1.8-local-provider-configpkg:apk/chainguard/opentofu-1.9pkg:apk/chainguard/opentofu-1.9-compatpkg:apk/chainguard/opentofu-1.9-local-provider-configpkg:apk/chainguard/opentofu-fips-1.6pkg:apk/chainguard/opentofu-fips-1.7pkg:apk/chainguard/opentofu-fips-1.8pkg:apk/chainguard/opentofu-fips-1.9pkg:apk/chainguard/terraformpkg:apk/chainguard/terraform-1.10pkg:apk/chainguard/terraform-1.10-compatpkg:apk/chainguard/terraform-1.10-local-provider-configpkg:apk/chainguard/terraform-1.8pkg:apk/chainguard/terraform-1.8-compatpkg:apk/chainguard/terraform-1.8-local-provider-configpkg:apk/chainguard/terraform-1.9pkg:apk/chainguard/terraform-1.9-compatpkg:apk/chainguard/terraform-1.9-local-provider-configpkg:apk/chainguard/terraform-compatpkg:apk/chainguard/terraform-fips-1.10pkg:apk/chainguard/terraform-fips-1.10-compatpkg:apk/chainguard/terraform-fips-1.10-local-provider-configpkg:apk/chainguard/terraform-fips-1.9pkg:apk/chainguard/terraform-fips-1.9-compatpkg:apk/chainguard/terraform-fips-1.9-local-provider-configpkg:apk/chainguard/terraform-local-provider-configpkg:apk/chainguard/vault-1.16pkg:apk/chainguard/vault-1.16-compatpkg:apk/chainguard/vault-1.17pkg:apk/chainguard/vault-1.17-compatpkg:apk/chainguard/vault-1.18pkg:apk/chainguard/vault-1.18-compatpkg:apk/chainguard/vault-fips-1.17pkg:apk/chainguard/vault-fips-1.17-compatpkg:apk/chainguard/vault-fips-1.18pkg:apk/chainguard/vault-fips-1.18-compatpkg:apk/wolfi/opentofu-1.7pkg:apk/wolfi/opentofu-1.7-compatpkg:apk/wolfi/opentofu-1.7-local-provider-configpkg:apk/wolfi/opentofu-1.8pkg:apk/wolfi/opentofu-1.8-compatpkg:apk/wolfi/opentofu-1.8-local-provider-configpkg:apk/wolfi/opentofu-1.9pkg:apk/wolfi/opentofu-1.9-compatpkg:apk/wolfi/opentofu-1.9-local-provider-configpkg:apk/wolfi/terraformpkg:apk/wolfi/terraform-compatpkg:apk/wolfi/terraform-local-provider-configpkg:golang/github.com/hashicorp/go-slugpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helmfile&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/helmfile&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 1.6.3-r5+ 61 more
- (no CPE)range: < 1.6.3-r5
- (no CPE)range: < 1.6.3-r5
- (no CPE)range: < 1.6.3-r5
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.6.3-r2
- (no CPE)range: < 1.7.7-r2
- (no CPE)range: < 1.8.8-r1
- (no CPE)range: < 1.9.0-r1
- (no CPE)range: < 1.5.7-r21
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.9.8-r5
- (no CPE)range: < 1.9.8-r5
- (no CPE)range: < 1.9.8-r5
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.9.8-r4
- (no CPE)range: < 1.9.8-r4
- (no CPE)range: < 1.9.8-r4
- (no CPE)range: < 1.5.7-r36
- (no CPE)range: < 1.16.3-r9
- (no CPE)range: < 1.16.3-r9
- (no CPE)range: < 1.17.6-r3
- (no CPE)range: < 1.17.6-r3
- (no CPE)range: < 1.18.3-r2
- (no CPE)range: < 1.18.3-r2
- (no CPE)range: < 1.17.6-r4
- (no CPE)range: < 1.17.6-r4
- (no CPE)range: < 1.18.3-r1
- (no CPE)range: < 1.18.3-r1
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.5.7-r21
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.5.7-r36
- (no CPE)range: < 0.16.3
- (no CPE)range: < 0.0.20250128T150132-150000.1.29.1
- (no CPE)range: < 0.0.20250128T150132-1.1
- (no CPE)range: < 1.1.9-bp160.1.1
- (no CPE)range: < 0.170.1-1.1
- (no CPE)range: < 0.0.20250128T150132-150000.1.29.1
- HashiCorp/Shared libraryv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.