archive/zip: denial of service when parsing arbitrary ZIP archives (CVE-2025-61728)

[neild]

archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Thanks to Thanks to Jakub Ciolek for reporting this issue.

This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.

---

This is a PRIVATE issue for CVE-2025-61728, tracked in http://b/445533267 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3060.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #77109 (for 1.24), #77110 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/736724 mentions this issue: [release-branch.go1.25] archive/zip: reduce CPU usage in index construction

[gopherbot]

Change https://go.dev/cl/736703 mentions this issue: [release-branch.go1.24] archive/zip: reduce CPU usage in index construction

[gopherbot]

Change https://go.dev/cl/736708 mentions this issue: [release-branch.go1.26] archive/zip: reduce CPU usage in index construction

[gopherbot]

Change https://go.dev/cl/736713 mentions this issue: archive/zip: reduce CPU usage in index construction