CVE-2025-64346

MEDIUM

archives < 1.0.1 - Path Traversal and Remote Code Execution via Malicious Archive Extraction

Title source: llm

Description

archives is a Go library for extracting archives (tar, zip, etc.). Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the program that imports it. Severity depends on user permissions, environment and how arbitrary archives are passed. This issue is fixed in version 1.0.1.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h

Patch x_refsource_misc

https://github.com/jaredallard/archives/commit/3bddec7bd3f38afbe97ae61d1c8a8487e9ea4ef1

View Patch ZIP pw:eip

Scores

CVSS v4 6.0

EPSS 0.0032

EPSS Percentile 23.1%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

jaredallard/archives 0 - 1.0.1Go

jaredallard/archives < 1.0.1

Published Nov 07, 2025

Tracked Since Feb 18, 2026