x/vulndb: potential Go vuln in github.com/hashicorp/go-slug: GHSA-wpfp-cm49-9m9q

[GoVulnBot]

Advisory GHSA-wpfp-cm49-9m9q references a vulnerability in the following Go modules:

Module
github.com/hashicorp/go-slug

Description:

Summary

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.

Background

HashiCorp’s go-slug shared library offers functions for packing and unpacking Terraform Enterprise compatible slugs. Slugs are gzip compressed tar files containing Terraform configuration files.

Details

When go-slug performs an extraction, the filename/extraction path is taken from the tar entry via the header.Name. It was discovered that the unp...

References:

• ADVISORY: GHSA-wpfp-cm49-9m9q
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-0377
• WEB: https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack

Cross references:

• github.com/hashicorp/go-slug appears in 1 other report(s):
  • data/reports/GO-2021-0094.yaml (dummy issue #94)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/go-slug
      versions:
        - fixed: 0.16.3
      vulnerable_at: 0.16.2
summary: HashiCorp go-slug Vulnerable to Zip Slip Attack in github.com/hashicorp/go-slug
cves:
    - CVE-2025-0377
ghsas:
    - GHSA-wpfp-cm49-9m9q
references:
    - advisory: https://github.com/advisories/GHSA-wpfp-cm49-9m9q
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-0377
    - web: https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack
source:
    id: GHSA-wpfp-cm49-9m9q
    created: 2025-01-21T21:01:29.652080158Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/643498 mentions this issue: data/reports: add 7 unreviewed reports