{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64346", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-30T17:40:52.031Z", "datePublished": "2025-11-07T05:32:09.605Z", "dateUpdated": "2025-11-07T13:19:52.595Z"}, "containers": {"cna": {"title": "archives: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h"}, {"name": "https://github.com/jaredallard/archives/commit/3bddec7bd3f38afbe97ae61d1c8a8487e9ea4ef1", "tags": ["x_refsource_MISC"], "url": "https://github.com/jaredallard/archives/commit/3bddec7bd3f38afbe97ae61d1c8a8487e9ea4ef1"}], "affected": [{"vendor": "jaredallard", "product": "archives", "versions": [{"version": "< 1.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-07T05:32:09.605Z"}, "descriptions": [{"lang": "en", "value": "archives is a Go library for extracting archives (tar, zip, etc.). Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the program that imports it. Severity depends on user permissions, environment and how arbitrary archives are passed. This issue is fixed in version 1.0.1."}], "source": {"advisory": "GHSA-j95m-rcjp-q69h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-07T13:19:20.562351Z", "id": "CVE-2025-64346", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-07T13:19:52.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-07T13:19:20.562351Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-07T13:19:47.960Z"}}], "cna": {"title": "archives: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "source": {"advisory": "GHSA-j95m-rcjp-q69h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jaredallard", "product": "archives", "versions": [{"status": "affected", "version": "< 1.0.1"}]}], "references": [{"url": "https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h", "name": "https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jaredallard/archives/commit/3bddec7bd3f38afbe97ae61d1c8a8487e9ea4ef1", "name": "https://github.com/jaredallard/archives/commit/3bddec7bd3f38afbe97ae61d1c8a8487e9ea4ef1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "archives is a Go library for extracting archives (tar, zip, etc.). Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the program that imports it. Severity depends on user permissions, environment and how arbitrary archives are passed. This issue is fixed in version 1.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-07T05:32:09.605Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64346", "state": "PUBLISHED", "dateUpdated": "2025-11-07T13:19:52.595Z", "dateReserved": "2025-10-30T17:40:52.031Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-07T05:32:09.605Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "archives is a Go library for extracting archives (tar, zip, etc.). Version 1.0.0 does not prevent a malicious user to feed a specially crafted archive to the library causing RCE, modification of files or other malignancies in the context of whatever the user is running this library as, through the program that imports it. Severity depends on user permissions, environment and how arbitrary archives are passed. This issue is fixed in version 1.0.1."}, {"lang": "es", "value": "archives es una librer\u00eda Go para extraer archivos (tar, zip, etc.). La versi\u00f3n 1.0.0 no evita que un usuario malintencionado alimente un archivo especialmente dise\u00f1ado a la librer\u00eda, causando RCE, modificaci\u00f3n de archivos u otras malignidades en el contexto de los privilegios con los que el usuario est\u00e9 ejecutando esta librer\u00eda, a trav\u00e9s del programa que la importa. La severidad depende de los permisos del usuario, el entorno y c\u00f3mo se pasen los archivos arbitrarios. Este problema est\u00e1 solucionado en la versi\u00f3n 1.0.1."}], "id": "CVE-2025-64346", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-11-07T06:15:33.850", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jaredallard/archives/commit/3bddec7bd3f38afbe97ae61d1c8a8487e9ea4ef1"}, {"source": "security-advisories@github.com", "url": "https://github.com/jaredallard/archives/security/advisories/GHSA-j95m-rcjp-q69h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-11-07T10:53:32.469702+00:00", "updated": "2025-11-07T10:53:32.469731+00:00", "vendors": ["archives_project", "archives_project$PRODUCT$archives"]}