CVE-2025-0377

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-0377

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0377.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-0377

Aliases

Downstream

SUSE-SU-2025:0297-1

openSUSE-SU-2025:14684-1

openSUSE-SU-2025:14710-1

openSUSE-SU-2025:20097-1

Related

Published

2025-01-21T16:15:14.290Z

Modified

2026-03-12T02:19:29.331533Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.

References

https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack

Affected packages

Git / github.com/hashicorp/go-slug

Affected ranges

Type

GIT

Repo

https://github.com/hashicorp/go-slug

Events

Introduced

Fixed

9a9315589124e21b01ffe8a7816f4f2bea7da8b4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.16.3"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.14.0

v0.15.0

v0.15.1

v0.15.2

v0.16.0

v0.16.1

v0.16.2

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.9.0

v0.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0377.json"