Vulnerability Report: GO-2024-2888

CVE-2024-24789
Affects: archive/zip
Published: Jun 04, 2024

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

Affected Packages

Path

Versions

Symbols
archive/zip

before go1.21.11, from go1.22.0-0 before go1.22.4
- NewReader
- OpenReader

Aliases

CVE-2024-24789

References

https://go.dev/cl/585397
https://go.dev/issue/66869
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://vuln.go.dev/ID/GO-2024-2888.json

Credits

Yufan You (@ouuan)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL