CVE-2023-28105 HIGH

CVE-2023-28105: Go-huge-util vulnerable to path traversal when unzipping files

Vendor Dablelv
Product go-huge-util
Weakness CWE-22 · Path traversal
Published March 16, 2023
Last update February 25, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

Key dates

02Disclosure timeline

March 16, 2023 CVE published
February 25, 2025 Record updated