CVE-2025-0377: HashiCorp go-slug Vulnerable to Zip Slip Attack

January 21, 2025

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.

References

discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack
github.com/advisories/GHSA-wpfp-cm49-9m9q
nvd.nist.gov/vuln/detail/CVE-2025-0377

Detect and mitigate CVE-2025-0377 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →