Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnZnItNWhxcC12cnc5
Path Traversal in decompress
Versions of decompress
prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../
.
Recommendation
Upgrade to version 4.2.1 or later.
Permalink: https://github.com/advisories/GHSA-qgfr-5hqp-vrw9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFnZnItNWhxcC12cnc5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-qgfr-5hqp-vrw9, CVE-2020-12265
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-12265
- https://github.com/kevva/decompress/issues/71
- https://github.com/kevva/decompress/pull/73
- https://github.com/kevva/decompress/commit/967146e70f48be32ed1a69daa3941d681944d513
- https://github.com/advisories/GHSA-qgfr-5hqp-vrw9
Blast Radius: 53.4
Affected Packages
npm:decompress
Dependent packages: 1,168Dependent repositories: 280,049
Downloads: 12,053,880 last month
Affected Version Ranges: < 4.2.1
Fixed in: 4.2.1
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.3.0, 3.0.0, 4.0.0, 4.1.0, 4.2.0
All unaffected versions: 4.2.1