CVE-2025-0377

Aliases:GHSA-wpfp-cm49-9m9qGO-2025-3413

Advisory lineage Upstream: 0 Downstream: 4

Downstream

OPENSUSE-SU-2025:14684-1 OPENSUSE-SU-2025:14710-1 OPENSUSE-SU-2025:20097-1 SUSE-SU-2025:0297-1

Analyzed

Published: 21 Jan 2025, 15:23

Last modified:12 Feb 2025, 20:41

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

v3.1 (nvd)

EPSS Score

0.47% LOW

0% probability +0.36%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 Jan 2025, 15:23

Published

Vulnerability first disclosed

12 Feb 2025, 20:41

Last Modified

Vulnerability information updated

Description

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.47%• Percentile: 65%

Techniques & Countermeasures

CWE-59•Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Systems

github.com/hashicorp•go-slug
< 0.16.3
hashicorp•go-slug
< 0.16.3
hashicorp•shared library
< 0.16.2