CVE-2025-0377

High

Published: 21 January 2025

Published

21 January 2025

Modified

15 December 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0047 64.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.

Security Summary

CVE-2025-0377 is a path traversal vulnerability (CWE-59) in HashiCorp's go-slug library, enabling a zip-slip style attack during tar archive extraction. The flaw arises when a non-existing user-provided path in a tar entry is processed, allowing traversal outside intended directories. Published on 2025-01-21, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to confidentiality risks.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction. By supplying a malicious tar archive, they can traverse paths to access sensitive files, achieving high-impact unauthorized disclosure of information without altering integrity or availability.

HashiCorp's security advisory (HCSEC-2025-01) provides details on the issue and mitigation at https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack.

Details

CWE(s): CWE-59

Affected Products

hashicorp

go-slug

≤ 0.16.3

References

https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack
Vendor Advisory · security@hashicorp.com