CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-24789: Mishandling of corrupt central directory record in archive/zip

Description

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

Classification

CVE ID: CVE-2024-24789

Affected Products

Vendor: Go standard library

Product: archive/zip

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.28% (scored less or equal to compared to others)

EPSS Date: 2025-03-01 (when was this score calculated)

References

https://go.dev/cl/585397
https://go.dev/issue/66869
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://pkg.go.dev/vuln/GO-2024-2888
http://www.openwall.com/lists/oss-security/2024/06/04/1
https://lists.fedoraproject.org/archives/list/[email protected]/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/

Timeline

2025-02-01 00:30:28 UTC
CVE

Mishandling of corrupt central directory record in archive/zip