CVE-2025-0377

Name of the Vulnerable Software and Affected Versions HashiCorp go-slug versions prior to 0.16.3

Description The go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This occurs because the unpacking step improperly validates paths, potentially leading to path traversal, allowing an attacker to write an arbitrary file during extraction. The library offers functions for packing and unpacking Terraform Enterprise compatible slugs, which are gzip compressed tar files containing Terraform configuration files.

Recommendations For versions prior to 0.16.3, upgrade go-slug to 0.16.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of user-provided paths in the tar entry to minimize the risk of exploitation. Consumers of the go-slug shared library should evaluate the risk associated with this issue in the context of their go-slug usage.