CVE-2024-0406 is a path traversal vulnerability identified in version 3.0.0 of the mholt/archiver package, a widely used Go library for handling archive files. The flaw arises from improper limitation of pathnames during extraction, allowing specially crafted tar files to escape the intended extraction directory. When such a malicious tar archive is unpacked, it can overwrite or create files anywhere the user or application has write permissions. This can lead to unauthorized modification or disclosure of sensitive files, potentially compromising system integrity and confidentiality. The vulnerability requires the victim to unpack the crafted archive, implying user interaction and local access. The CVSS 3.1 base score is 6.1 (medium severity), reflecting low attack vector (local), low complexity, no privileges required, but user interaction needed. No known exploits have been reported in the wild as of the publication date. The vulnerability is particularly relevant for applications or services that automatically extract archives using this library without proper sanitization or validation of archive contents. Without mitigation, attackers could leverage this flaw to escalate privileges or manipulate critical files within the context of the vulnerable application or user account.

The primary impact of CVE-2024-0406 is unauthorized file creation or overwriting, which threatens both confidentiality and integrity of affected systems. Attackers can potentially overwrite configuration files, inject malicious code, or access sensitive data by placing files outside the intended extraction directory. This can lead to privilege escalation if critical system or application files are modified, or data leakage if sensitive files are exposed. Since exploitation requires local access and user interaction, the threat is more significant in environments where untrusted users can upload or unpack archives, such as CI/CD pipelines, automated deployment systems, or user-facing applications handling archive uploads. Organizations relying on the vulnerable library for automated archive processing may face operational disruptions or security breaches if exploited. However, the lack of known exploits in the wild and the requirement for user interaction somewhat limit the immediacy of risk.

To mitigate CVE-2024-0406, organizations should first update the mholt/archiver package to a patched version once available. In the interim, implement strict validation of archive contents before extraction, including sanitizing file paths to prevent directory traversal (e.g., rejecting paths containing '../' or absolute paths). Employ sandboxed or isolated environments for unpacking archives to limit potential damage from malicious files. Restrict permissions of the user or process performing extraction to the minimum necessary, preventing overwriting of critical files. Monitor and audit archive extraction activities for anomalies. Additionally, consider using alternative, well-maintained libraries with robust path traversal protections if patching is delayed. Educate developers and system administrators about the risks of unpacking untrusted archives and enforce policies to control archive sources and handling procedures.