CVE-2025-64346
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-07

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
archives is a Go library for extracting archives (tar, zip, etc.). Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the program that imports it. Severity depends on user permissions, environment and how arbitrary archives are passed. This issue is fixed in version 1.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-07
Last Modified
2025-11-12
Generated
2026-05-07
AI Q&A
2025-11-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64346
EUVD
EUVD-2025-8630
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jaredallard archives 1.0.1
jaredallard archives 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the archives Go library version 1.0.0, which is used for extracting archive files like tar and zip. A malicious user can craft a specially designed archive that, when processed by this library, can lead to remote code execution (RCE), unauthorized modification of files, or other harmful actions within the context of the program using the library. The severity depends on user permissions, environment, and how the archives are handled. The issue is fixed in version 1.0.1.


How can this vulnerability impact me? :

If you use the vulnerable version 1.0.0 of the archives library, an attacker could exploit this vulnerability by providing a malicious archive to your application. This could result in remote code execution, unauthorized file modifications, or other malicious activities running with the same privileges as your application, potentially compromising your system or data. The impact depends on the permissions of the user running the application and the environment.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the archives Go library to version 1.0.1 or later, as this version contains the fix for the vulnerability. Additionally, avoid processing untrusted or arbitrary archive files with the vulnerable version to reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart