CVE-2025-64346 is a path traversal vulnerability classified under CWE-22 found in the 'archives' Go library maintained by jaredallard, specifically in version 1.0.0 and earlier. This library is used for extracting various archive formats such as tar and zip. The vulnerability arises because the library does not properly restrict pathname traversal sequences in archive entries, allowing an attacker to craft archive files that, when extracted, can write files outside the intended extraction directory. This can lead to remote code execution (RCE), unauthorized modification of files, or other malicious actions within the security context of the application using the library. The severity of the impact depends heavily on the permissions of the user running the extraction process and the environment setup. For example, if the extraction runs with elevated privileges or in a sensitive environment, the attacker could overwrite critical system or application files, potentially leading to system compromise. The vulnerability requires no user interaction beyond the processing of the malicious archive and can be exploited remotely by supplying a crafted archive file. The issue was addressed and fixed in version 1.0.1 of the library. The CVSS 4.0 vector indicates a network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on integrity, resulting in a medium severity score of 6.0. No known exploits are currently reported in the wild. Organizations using this library in automated or manual archive extraction workflows should be aware of this risk.

For European organizations, the impact of CVE-2025-64346 can be significant depending on how the 'archives' library is integrated into their software systems. Organizations that automatically process user-supplied or third-party archives—such as cloud service providers, software vendors, and enterprises handling large volumes of compressed data—are at risk of unauthorized file modifications or remote code execution. This could lead to data breaches, system downtime, or lateral movement within networks. The risk is amplified if the extraction process runs with elevated privileges or in critical infrastructure environments. Confidentiality may be compromised if sensitive files are overwritten or replaced, integrity is directly impacted due to unauthorized file modifications, and availability could be affected if critical system files are corrupted. European organizations in sectors like finance, healthcare, and government, which often have strict regulatory requirements for data protection, could face compliance violations and reputational damage if exploited. The medium severity rating suggests a moderate but actionable risk that should be addressed promptly to avoid potential exploitation.

To mitigate CVE-2025-64346, European organizations should immediately upgrade the 'archives' Go library to version 1.0.1 or later, where the vulnerability is fixed. Additionally, organizations should implement strict validation and sanitization of archive files before extraction, including verifying archive contents do not contain path traversal sequences or unexpected file paths. Running extraction processes with the least privilege necessary reduces the impact of potential exploitation. Employing sandboxing or containerization for archive extraction workflows can further isolate potential damage. Monitoring and logging archive extraction activities can help detect suspicious behavior. Organizations should also review and update their software supply chain and CI/CD pipelines to ensure no vulnerable versions of the library are used. Finally, educating developers and system administrators about secure archive handling practices will reduce the risk of accidental exposure.