Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczdjgtdjZnNC12cnBt
Arbitrary File Overwrite in decompress-zip
Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory.
Recommendation
For decompress-zip 0.2.x upgrade to 0.2.2 or later.
For decompress-zip 0.3.x upgrade to 0.3.2 or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczdjgtdjZnNC12cnBt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 9 months ago
Identifiers: GHSA-73v8-v6g4-vrpm
References:
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/488.json
- https://snyk.io/research/zip-slip-vulnerability
- https://www.npmjs.com/advisories/777
- https://github.com/advisories/GHSA-73v8-v6g4-vrpm
Affected Packages
npm:decompress-zip
Versions: >= 0.3.0, < 0.3.2, < 0.2.2Fixed in: 0.3.2, 0.2.2