{"id":"CVE-2023-39137","details":"An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.","aliases":["GHSA-r285-q736-9v95"],"modified":"2026-04-10T05:00:16.792714Z","published":"2023-08-30T22:15:09.030Z","references":[{"type":"ADVISORY","url":"https://www.rapid7.com/db/modules/exploit/windows/fileformat/winrar_name_spoofing/"},{"type":"REPORT","url":"https://github.com/brendan-duncan/archive/issues/266"},{"type":"EVIDENCE","url":"https://blog.ostorlab.co/zip-packages-exploitation.html"},{"type":"EVIDENCE","url":"https://ostorlab.co/vulndb/advisory/OVE-2023-3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/brendan-duncan/archive","events":[{"introduced":"0"},{"last_affected":"6fc3b89fcdb89b593402e0dabc13a7d7fd3f762d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.3.7"}]}}],"versions":["1.0.18","1.0.19","1.0.20","1.0.22","1.0.23","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.31","1.0.32","1.0.33","2.0.0","2.0.1","2.0.10","2.0.12","2.0.13","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.8","2.0.9","3.1.1","3.1.10","3.1.11","3.1.2","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.1","3.2.2","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.7","v3.0.0-nullsafety.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39137.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}