Description
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
References (7)
Core 7
Core References
Patch
https://go.dev/cl/585397
Issue Tracking, Patch
https://go.dev/issue/66869
Third Party Advisory
https://pkg.go.dev/vuln/GO-2024-2888
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250131-0008/
Scores
CVSS v3
5.5
EPSS
0.0001
EPSS Percentile
0.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
Status
published
Products (1)
golang/go
< 1.21.11
Published
Jun 05, 2024
Tracked Since
Feb 18, 2026