CVE-2026-32805: Go Zip Slip Prefix Bypass

Validate archive extraction paths properly. Using strings.HasPrefix to check against Zip Slip path traversal without a trailing path separator is vulnerable. Sibling directories with the same prefix can bypass the validation. Append os.PathSeparator to the directory prefix.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0go

greprules fetch cve-2026-32805-go-zip-slip-prefix-bypass --engine opengrep

Description

Validate archive extraction paths properly. Using strings.HasPrefix to check against Zip Slip path traversal without a trailing path separator is vulnerable. Sibling directories with the same prefix can bypass the validation. Append os.PathSeparator to the directory prefix.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 109 downloads
0 direct109 via packs
· 0 stars · Trust score 61How trust works
Included packs: 2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark useful Report false positive Suggest metadata