CVE-2021-41772

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.16.10 Go versions 1.17.x prior to 1.17.3

Description The issue allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. This can occur when opening a zip file with a name that is exclusively made up of slash characters or ".." path elements, or when passed the empty string directly as an argument. The Reader.Open function will skip any files in the zip whose name could not be made valid for fs.FS.Open, but they are still accessible through (*Reader).File.

Recommendations For Go versions prior to 1.16.10, update to version 1.16.10 or later to resolve the issue. For Go versions 1.17.x prior to 1.17.3, update to version 1.17.3 or later to resolve the issue. As a temporary workaround, consider validating the filename fields of ZIP archives before passing them to the Reader.Open function to minimize the risk of exploitation.