CVE-2025-64346
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64346, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-07

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description

archives is a Go library for extracting archives (tar, zip, etc.). Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the program that imports it. Severity depends on user permissions, environment and how arbitrary archives are passed. This issue is fixed in version 1.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-07
Last Modified
2025-11-12
Generated
2026-07-06
AI Q&A
2025-11-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
jaredallard archives 1.0.1
jaredallard archives 1.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the archives Go library version 1.0.0, which is used for extracting archive files like tar and zip. A malicious user can craft a specially designed archive that, when processed by this library, can lead to remote code execution (RCE), unauthorized modification of files, or other harmful actions within the context of the program using the library. The severity depends on user permissions, environment, and how the archives are handled. The issue is fixed in version 1.0.1.

Impact Analysis

If you use the vulnerable version 1.0.0 of the archives library, an attacker could exploit this vulnerability by providing a malicious archive to your application. This could result in remote code execution, unauthorized file modifications, or other malicious activities running with the same privileges as your application, potentially compromising your system or data. The impact depends on the permissions of the user running the application and the environment.

Mitigation Strategies

Upgrade the archives Go library to version 1.0.1 or later, as this version contains the fix for the vulnerability. Additionally, avoid processing untrusted or arbitrary archive files with the vulnerable version to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart