CVE-2024-0406: Archiver Path Traversal vulnerability

April 6, 2024 (updated May 7, 2025)

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user’s or application’s privileges using the library.

References

access.redhat.com/errata/RHSA-2025:2449
access.redhat.com/security/cve/CVE-2024-0406
bugzilla.redhat.com/show_bug.cgi?id=2257749
github.com/advisories/GHSA-rhh4-rh7c-7r5v
github.com/mholt/archiver
nvd.nist.gov/vuln/detail/CVE-2024-0406
pkg.go.dev/vuln/GO-2024-2698

Code Behaviors & Features

Detect and mitigate CVE-2024-0406 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →