Affected versions of superagent
do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.
This may result in unrestrained CPU/Memory/Disk consumption, causing a denial of service condition.
Update to version 3.7.0 or later.
CPE | Name | Operator | Version |
---|---|---|---|
superagent | lt | 3.7.0 |