mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Affected Packages

Go github.com/mholt/archiver

Affected versions: 0 (fixed in 2.1.0)

Related CVEs

CVE-2018-1002207

Key Information

GHSA ID

GHSA-5wmg-j84w-4jj4

Published

February 15, 2022 1:57 AM

Last Modified

July 16, 2022 4:26 AM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/mholt/archiver

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 19, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.