CVE-2021-27919

Name of the Vulnerable Software and Affected Versions: Go versions 1.16.0 through 1.16.0

Description: The issue allows attackers to cause a denial of service (panic) when using the Reader.Open API for a ZIP archive containing a file with a path prefixed by "../". This can occur when parsing user-supplied archives, potentially serving as a denial of service vector. The "Reader.Open" API endpoint is affected when a ZIP archive contains a filename starting with "../", leading to a stack overflow and subsequent panic.

Recommendations: For Go versions 1.16.0 through 1.16.0, update to version 1.16.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the Reader.Open API for ZIP archives containing filenames prefixed with "../" until the update is applied. Restrict parsing of user-supplied archives to minimize the risk of exploitation.