CVE-2025-3445: 
Wolfi vulnerability analysis and mitigation

A Path Traversal "Zip Slip" vulnerability has been identified in mholt/archiver in Go (CVE-2025-3445). The vulnerability affects the archiver.Unarchive functionality when handling ZIP files, allowing attackers to create or overwrite files with the user's privileges through crafted ZIP files containing path traversal symlinks. The vulnerability was disclosed on April 13, 2025 (NVD).

The vulnerability occurs when using the archiver.Unarchive functionality with ZIP files (e.g., archiver.Unarchive(zipFile, outputDir)). A crafted ZIP file can be extracted in such a way that it writes files to the affected system with the same privileges as the application executing this vulnerable functionality. The vulnerability has been assigned a CVSS v3.1 score of 8.1 HIGH with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L (NVD).

The exploitation of this vulnerability can lead to sensitive files being overwritten, potentially resulting in privilege escalation, code execution, and other severe outcomes. The impact is particularly significant as the vulnerability allows attackers to manipulate file paths and potentially gain elevated system access through file manipulation (NVD).

The affected project has been deprecated, and users are advised to switch to the successor project called mholt/archives. The initial release (v0.1.0) of mholt/archives removes the vulnerable Unarchive() functionality. It's worth noting that while a fix was implemented for a similar vulnerability in TAR files (CVE-2024-0406), it hasn't been officially released for the deprecated mholt/archiver project (GitHub Archiver).