High severityNVD Advisory· Published Jan 21, 2025· Updated Feb 12, 2025
HashiCorp go-slug Vulnerable to Zip Slip Attack
CVE-2025-0377
Description
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/go-slugGo | < 0.16.3 | 0.16.3 |
Affected products
63- osv-coords62 versionspkg:apk/chainguard/opentofu-1.6pkg:apk/chainguard/opentofu-1.6-compatpkg:apk/chainguard/opentofu-1.6-local-provider-configpkg:apk/chainguard/opentofu-1.7pkg:apk/chainguard/opentofu-1.7-compatpkg:apk/chainguard/opentofu-1.7-local-provider-configpkg:apk/chainguard/opentofu-1.8pkg:apk/chainguard/opentofu-1.8-compatpkg:apk/chainguard/opentofu-1.8-local-provider-configpkg:apk/chainguard/opentofu-1.9pkg:apk/chainguard/opentofu-1.9-compatpkg:apk/chainguard/opentofu-1.9-local-provider-configpkg:apk/chainguard/opentofu-fips-1.6pkg:apk/chainguard/opentofu-fips-1.7pkg:apk/chainguard/opentofu-fips-1.8pkg:apk/chainguard/opentofu-fips-1.9pkg:apk/chainguard/terraformpkg:apk/chainguard/terraform-1.10pkg:apk/chainguard/terraform-1.10-compatpkg:apk/chainguard/terraform-1.10-local-provider-configpkg:apk/chainguard/terraform-1.8pkg:apk/chainguard/terraform-1.8-compatpkg:apk/chainguard/terraform-1.8-local-provider-configpkg:apk/chainguard/terraform-1.9pkg:apk/chainguard/terraform-1.9-compatpkg:apk/chainguard/terraform-1.9-local-provider-configpkg:apk/chainguard/terraform-compatpkg:apk/chainguard/terraform-fips-1.10pkg:apk/chainguard/terraform-fips-1.10-compatpkg:apk/chainguard/terraform-fips-1.10-local-provider-configpkg:apk/chainguard/terraform-fips-1.9pkg:apk/chainguard/terraform-fips-1.9-compatpkg:apk/chainguard/terraform-fips-1.9-local-provider-configpkg:apk/chainguard/terraform-local-provider-configpkg:apk/chainguard/vault-1.16pkg:apk/chainguard/vault-1.16-compatpkg:apk/chainguard/vault-1.17pkg:apk/chainguard/vault-1.17-compatpkg:apk/chainguard/vault-1.18pkg:apk/chainguard/vault-1.18-compatpkg:apk/chainguard/vault-fips-1.17pkg:apk/chainguard/vault-fips-1.17-compatpkg:apk/chainguard/vault-fips-1.18pkg:apk/chainguard/vault-fips-1.18-compatpkg:apk/wolfi/opentofu-1.7pkg:apk/wolfi/opentofu-1.7-compatpkg:apk/wolfi/opentofu-1.7-local-provider-configpkg:apk/wolfi/opentofu-1.8pkg:apk/wolfi/opentofu-1.8-compatpkg:apk/wolfi/opentofu-1.8-local-provider-configpkg:apk/wolfi/opentofu-1.9pkg:apk/wolfi/opentofu-1.9-compatpkg:apk/wolfi/opentofu-1.9-local-provider-configpkg:apk/wolfi/terraformpkg:apk/wolfi/terraform-compatpkg:apk/wolfi/terraform-local-provider-configpkg:golang/github.com/hashicorp/go-slugpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helmfile&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/helmfile&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 1.6.3-r5+ 61 more
- (no CPE)range: < 1.6.3-r5
- (no CPE)range: < 1.6.3-r5
- (no CPE)range: < 1.6.3-r5
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.6.3-r2
- (no CPE)range: < 1.7.7-r2
- (no CPE)range: < 1.8.8-r1
- (no CPE)range: < 1.9.0-r1
- (no CPE)range: < 1.5.7-r21
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.9.8-r5
- (no CPE)range: < 1.9.8-r5
- (no CPE)range: < 1.9.8-r5
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.10.4-r1
- (no CPE)range: < 1.9.8-r4
- (no CPE)range: < 1.9.8-r4
- (no CPE)range: < 1.9.8-r4
- (no CPE)range: < 1.5.7-r36
- (no CPE)range: < 1.16.3-r9
- (no CPE)range: < 1.16.3-r9
- (no CPE)range: < 1.17.6-r3
- (no CPE)range: < 1.17.6-r3
- (no CPE)range: < 1.18.3-r2
- (no CPE)range: < 1.18.3-r2
- (no CPE)range: < 1.17.6-r4
- (no CPE)range: < 1.17.6-r4
- (no CPE)range: < 1.18.3-r1
- (no CPE)range: < 1.18.3-r1
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.8.8-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.9.0-r2
- (no CPE)range: < 1.5.7-r21
- (no CPE)range: < 1.8.5-r10
- (no CPE)range: < 1.5.7-r36
- (no CPE)range: < 0.16.3
- (no CPE)range: < 0.0.20250128T150132-150000.1.29.1
- (no CPE)range: < 0.0.20250128T150132-1.1
- (no CPE)range: < 1.1.9-bp160.1.1
- (no CPE)range: < 0.170.1-1.1
- (no CPE)range: < 0.0.20250128T150132-150000.1.29.1
- HashiCorp/Shared libraryv5Range: 0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.