CVE-2025-64346
Description
archives is a Go library for extracting archives (tar, zip, etc.). Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the program that imports it. Severity depends on user permissions, environment and how arbitrary archives are passed. This issue is fixed in version 1.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-64346: archives Go library v1.0.0 has a path traversal vulnerability allowing RCE or file modification via crafted archives; fixed in v1.0.1.
Overview
CVE-2025-64346 affects version 1.0.0 of the archives Go library, used for extracting tar, zip, and other archive formats. The vulnerability stems from improper limitation of a pathname to a restricted directory (path traversal), allowing a maliciously crafted archive to write files outside the intended extraction target [4]. The library does not sanitize file paths embedded within archive entries, enabling an attacker to place files anywhere the process has write access [2].
Exploitation
An attacker can exploit this by providing a specially crafted archive (e.g., a ZIP or tar file containing entries with ../ path components) to any application that uses the archives library to extract archives [1][4]. No authentication is required beyond the ability to submit an archive to the consuming application; therefore, any service that accepts uploaded archives or processes untrusted archives is potentially vulnerable. The exploitation occurs during the extraction process, as the library writes files to paths derived from archive entries without validation [2].
Impact
Successful exploitation allows an attacker to write arbitrary files to the filesystem in the context of the running process. This can lead to remote code execution (e.g., overwriting executables or configuration files), modification of sensitive data, or other malicious outcomes [2][4]. The severity depends on the permissions of the user running the application and the environment; for example, a root process with broad write access is at much higher risk than a sandboxed, read-only container [4].
Mitigation
The vulnerability is patched in version 1.0.1 of the archives library [1][2]. Users are strongly advised to upgrade to this version immediately. No workaround other than manual validation of archives before extraction is recommended, but that approach is not as reliable as upgrading [4]. The repository was later archived, so future support may be limited [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/jaredallard/archivesGo | < 1.0.1 | 1.0.1 |
Affected products
1- Range: v1.0.0
Patches
13bddec7bd3f3fix(deps): stencil-golang v1.6.0, extract breakout
11 files changed · +90 −52
bun.lockb+0 −0 modified.cliff.toml+5 −1 modified@@ -43,10 +43,14 @@ body = """ {%- for commit in commits %} {%- if not commit.scope -%} {{ self::print_commit(commit=commit) }}\ - {% if commit.github.username %} by @{{ commit.github.username }}{%- endif -%}\ + {% if commit.remote.username %} by @{{ commit.remote.username }}{%- endif -%}\ + {% if commit.remote.pr_number %} in \ + [#{{ commit.remote.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.remote.pr_number }}) \ + {%- endif %}\ {% raw %}\n{% endraw -%} {% endif -%} {% endfor -%} + {% raw %}\n{% endraw %}\ {% endfor %}\n {%- if github -%}
extractor.go+25 −2 modified@@ -24,8 +24,22 @@ import ( "io" "os" "path/filepath" + "strings" ) +// sanitizeArchivePath sanitizes the provided archive file pathing from +// "G305: Zip Slip vulnerability". +// +// See: https://github.com/securego/gosec/issues/324 +func sanitizeArchivePath(d, t string) (v string, err error) { + v = filepath.Join(d, t) + if strings.HasPrefix(v, filepath.Clean(d)) { + return v, nil + } + + return "", fmt.Errorf("%s: %s", "content filepath is tainted", t) +} + // extract contains low level logic for extracting archives. func extract(a Archive, dest string, opts *ExtractOptions) error { for { @@ -38,18 +52,27 @@ func extract(a Archive, dest string, opts *ExtractOptions) error { return fmt.Errorf("failed to read archive header: %w", err) } - path := filepath.Join(dest, h.Name) + path, err := sanitizeArchivePath(dest, h.Name) + if err != nil { + return err + } + switch h.Type { case HeaderDir: + //nolint:gosec // Why: acceptable, we're a tar extractor. if err := os.MkdirAll(path, h.Mode); err != nil { return fmt.Errorf("failed to create directory: %w", err) } case HeaderFile: - // Sometimes the directory entry is missing, so we need to create it. + // Sometimes the directory entry is missing, so we need to create + // it. + // + //nolint:gosec // Why: acceptable, we're a tar extractor. if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil { return fmt.Errorf("failed to create directory: %w", err) } + //nolint:gosec // Why: acceptable, we're a tar extractor. f, err := os.Create(path) if err != nil { return fmt.Errorf("failed to create file: %w", err)
.gitattributes+7 −0 added@@ -0,0 +1,7 @@ +go*.sum linguist-generated +stencil.lock linguist-generated +bun.lockb linguist-generated + +## <<Stencil::Block(custom)>> + +## <</Stencil::Block>>
.github/workflows/tests.yaml+3 −1 modified@@ -39,6 +39,8 @@ jobs: - name: Download dependencies run: go mod download - name: Run go test + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gotestsum -- -coverprofile=cover.out ./... - name: Upload test coverage @@ -63,7 +65,7 @@ jobs: echo "version=$(mise current golangci-lint)" >> "$GITHUB_OUTPUT" id: golangci_lint - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@v7 with: version: v${{ steps.golangci_lint.outputs.version }} args: --timeout=30m
.golangci.yml+37 −37 modified@@ -1,25 +1,27 @@ # yaml-language-server: $schema=https://json.schemastore.org/golangci-lint -# Linter settings -linters-settings: - errcheck: - check-blank: true - gocyclo: - min-complexity: 25 - gocritic: - enabled-tags: - - diagnostic - - experimental - - opinionated - - performance - - style - lll: - line-length: 140 +version: "2" +# Linter settings linters: + settings: + errcheck: + check-blank: true + gocyclo: + min-complexity: 25 + gocritic: + enabled-tags: + - diagnostic + - experimental + - opinionated + - performance + - style + lll: + line-length: 140 + # Inverted configuration with enable-all and disable is not scalable # during updates of golangci-lint. - disable-all: true + default: none enable: - bodyclose - dogsled @@ -30,40 +32,38 @@ linters: - gochecknoinits - gocritic - gocyclo - - gofmt - goheader - - goimports - gosec - - gosimple - govet - ineffassign - lll - misspell - nakedret - staticcheck - revive - - typecheck - unconvert - unparam - unused - whitespace -issues: - exclude: - # We allow error shadowing - - 'declaration of "err" shadows declaration at' - # Excluding configuration per-path, per-linter, per-text and per-source - exclude-rules: - # Exclude some linters from running on tests files. - - path: _test\.go - linters: - - errcheck - - funlen - - gochecknoglobals # Globals in test files are tolerated. - - gocyclo - - goheader # Don't require license headers in test files. - - gosec + exclusions: + rules: + # We allow error shadowing + - path: '(.+)\.go$' + text: 'declaration of "err" shadows declaration at' + # Exclude some linters from running on tests files. + - path: _test\.go + linters: + - errcheck + - funlen + - gochecknoglobals # Globals in test files are tolerated. + - gocyclo + - goheader # Don't require license headers in test files. + - gosec -output: - sort-results: true +# formatter settings +formatters: + enable: + - gofmt + - goimports
go.sum+0 −4 modified@@ -2,13 +2,9 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/jamespfennell/xz v0.1.2 h1:iCw5kScLfGCceOKgQaGuj5RilAAlV4iiwauYntak2oU= github.com/jamespfennell/xz v0.1.2/go.mod h1:DhpWvZY1xDkK/6BREFl3c3R/fZh7IBdYq2m7xh4uLl0= -github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= -github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= -gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
internal/tartest/tartest.go+4 −1 modified@@ -31,6 +31,7 @@ import ( xznocgo "github.com/ulikunitz/xz" ) +// Container represents the container of a tar file. type Container int const ( @@ -46,10 +47,12 @@ const ( ContainerZstd ) +// Options is a struct for interacting with containers. type Options struct { Container Container } +// OptionFn modifies a [Options] struct. type OptionFn func(*Options) // WithContainer denotes that a specific container should be used when @@ -99,7 +102,7 @@ func Create(options ...OptionFn) (io.Reader, error) { tw = tar.NewWriter(buf) } else { tw = tar.NewWriter(container) - defer container.Close() + defer container.Close() //nolint:errcheck // Why: Best effort } contents := []byte("hello world")
.mise.toml+2 −2 modified@@ -4,9 +4,9 @@ bun = "latest" git-cliff = "latest" golang = "1.24.1" -golangci-lint = "1.64.8" +golangci-lint = "2.0.2" goreleaser = "latest" -"go:gotest.tools/gotestsum" = "v1.12.0" +"go:gotest.tools/gotestsum" = "1.12.1" "go:golang.org/x/tools/cmd/goimports" = "latest" "go:mvdan.cc/sh/v3/cmd/shfmt" = "latest" "go:github.com/thenativeweb/get-next-version" = "latest"
package.json+1 −1 modified@@ -2,7 +2,7 @@ "//": "Used for prettier", "name": "@jaredallard/archives", "devDependencies": { - "prettier": "^3.3.2" + "prettier": "^3.5.1" }, "private": true }
stencil.lock+6 −3 modified@@ -1,17 +1,20 @@ -version: devel +version: 2.2.0 modules: - name: github.com/rgst-io/stencil-golang url: https://github.com/rgst-io/stencil-golang version: - commit: 2caa391c628957e7477ffd9fcd1c52a3029b254d - tag: v1.2.0 + commit: 47fbf2883de9143c48d6913c0afa99d01747f0f6 + tag: v1.6.0 files: - name: .cliff.toml template: .cliff.toml.tpl module: github.com/rgst-io/stencil-golang - name: .editorconfig template: .editorconfig.tpl module: github.com/rgst-io/stencil-golang + - name: .gitattributes + template: .gitattributes.tpl + module: github.com/rgst-io/stencil-golang - name: .github/scripts/get-next-version.sh template: .github/scripts/get-next-version.sh.tpl module: github.com/rgst-io/stencil-golang
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.