HCSEC-2025-01

**Bulletin ID:** HCSEC-2025-01 **Affected Products / Versions:** go-slug up to 0.16.2; fixed in go-slug 0.16.3. **Publication Date:** January 21, 2025 **Summary** HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3. **Background** HashiCorp’s go-slug shared library offers functions for packing and unpacking Terraform Enterprise compatible slugs. Slugs are gzip compressed tar files containing Terraform configuration files. **Details** When go-slug performs an extraction, the filename/extraction path is taken from the tar entry via the `header.Name`. It was discovered that the unpacking step improperly validated paths, potentially leading to path traversal, allowing an attacker to write an arbitrary file during extraction. **Remediation** Consumers of the go-slug shared library should evaluate the risk associated with this issue in the context of their go-slug usage and upgrade go-slug to 0.16.3 or later. The latest go-slug releases can be found at https://github.com/hashicorp/go-slug/releases. **Acknowledgement** This issue was identified by HashiCorp‘s Product Security team. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*