Advisories for Golang/Github.com/Hashicorp/Go-Slug package

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.

HashiCorp go-slug did not fully protect against Zip Slip attacks while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks.