Arbitrary File Write via Archive Extraction

2018-08-03T15:08:43
ID NODEJS:680
Type nodejs
Reporter snyk security team
Modified 2019-06-18T23:47:09

Description

Overview

Versions of unzipper before 0.8.13 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames (../../file.txt for example).

Recommendation

Update to version 0.3.18 or later.

References