CVE-2025-64346 is a path traversal vulnerability (CWE-22) found in the 'archives' Go library developed by jaredallard, specifically in version 1.0.0 and earlier. The library is used to extract various archive formats like tar and zip. The flaw arises because the library does not properly restrict pathnames within extracted archives, allowing an attacker to craft malicious archives containing files with paths that traverse directories outside the intended extraction folder. This can lead to overwriting or creating files in arbitrary locations on the host system. If exploited, this can result in remote code execution (RCE), unauthorized modification of files, or other malicious actions executed with the privileges of the user running the program that imports this library. The impact severity depends on the permissions of the user context and the environment in which the library is used. For example, if run by a privileged user or in a sensitive environment, the consequences can be severe. The vulnerability does not require user interaction but does require at least low privileges (PR:L) and an attacker to supply a crafted archive. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on integrity. The issue was fixed in version 1.0.1 by properly limiting pathnames to prevent directory traversal. No known exploits are currently reported in the wild. Organizations using this library in their software or services that process untrusted archives should upgrade promptly to avoid exploitation.

For European organizations, the impact of this vulnerability can be significant, especially for those that use the 'archives' Go library in applications or services that handle archive files from untrusted or external sources. Successful exploitation could allow attackers to execute arbitrary code or modify critical files, potentially leading to system compromise, data breaches, or service disruptions. The severity is heightened in environments where the library runs with elevated privileges or on critical infrastructure. Industries such as finance, healthcare, and government, which often process large volumes of data and archives, could face operational and reputational damage. Additionally, supply chain software that integrates this library could propagate the vulnerability to downstream users. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is publicly known. The medium CVSS score reflects moderate risk but should not lead to complacency given the potential for privilege escalation and code execution.

European organizations should immediately upgrade the 'archives' Go library to version 1.0.1 or later to ensure the vulnerability is patched. Additionally, they should implement strict validation and sanitization of archive files before extraction, including verifying archive contents for suspicious pathnames that attempt directory traversal. Running extraction processes with the least privilege principle is critical to limit potential damage if exploitation occurs. Employ sandboxing or containerization for services that handle untrusted archives to isolate potential impacts. Monitoring and logging archive extraction activities can help detect anomalous behavior indicative of exploitation attempts. Organizations should also review their software supply chain to identify any dependencies on the vulnerable library and coordinate with vendors or internal development teams to apply patches. Finally, raising awareness among developers about secure archive handling practices will help prevent similar vulnerabilities.