← Back

CVE-2025-0377

nvd nist
Published: Jan 21, 2025Modified: Dec 15, 2025

JSON object

Loading...
9.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Exploitability: 3.9 / Impact: 5.2
Source: NVD

Description

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.

Affected (1)

Products: Hashicorp: Go Slug
Hashicorp
1 product
Go Slug
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Go Slug
Before 0.16.3

Related CWEs

CWE-59
Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (1)

Source: security@hashicorp.com
Vendor Advisory

Timeline

No history available yet.