25 matches found
ROOT-APP-NPM-CVE-2026-31988 CVE-2026-31988 in @rootio/yauzl - Patched by Root
Root has patched CVE-2026-31988 in the @rootio/yauzl package for Root:npm. Multiple fixed versions available...
CVE-2026-31988
yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...
SUSE CVE-2026-31988
yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...
Linux Distros Unpatched Vulnerability : CVE-2026-31988
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the...
@acabai/android (>=1.0.0 <=1.0.1), @addfox/cli (>=0.1.1 <=0.1.1-beta.16) +169 more potentially affected by CVE-2026-31988 via yauzl (=3.2.0)
yauzl NPM version =3.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on yauzl and may be impacted: - @acabai/android =1.0.0, =0.1.1, =0.1.1, =1.6.10, =3.4.26, =2.1.83, =1.2.7, =1.1.22, =8.0.0, =10.0.0, =10.0.0, =1.0.0, =1.0.1, =8.9.4, =9.10.1,...
Off-by-one Error
Overview Affected versions of this package are vulnerable to Off-by-one Error via the entry.getLastModDate function. An attacker can cause the process or the Node.js server to crash by submitting a malicious zip file containing a malformed NTFS extra field. PoC js // Direct demonstration of the...
GHSA-GMQ8-994R-JV83 yauzl contains an off-by-one error
yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...
@acabai/android (>=1.0.0 <=1.0.1), @addfox/cli (>=0.1.1 <=0.1.1-beta.16) +169 more potentially affected by CVE-2026-31988 via yauzl (=3.2.0)
yauzl NPM version =3.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on yauzl and may be impacted: - @acabai/android =1.0.0, =0.1.1, =0.1.1, =1.6.10, =3.4.26, =2.1.83, =1.2.7, =1.1.22, =8.0.0, =10.0.0, =10.0.0, =1.0.0, =1.0.1, =8.9.4, =9.10.1,...
yauzl contains an off-by-one error
yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...
CVE-2026-31988
yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...
UBUNTU-CVE-2026-31988
yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...
CVE-2026-31988 yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser
yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...
CVE-2026-31988
Vulnerability in yauzl 3.2.0 (Node.js): an off‑by‑one bug in the NTFS extended timestamp extra field parser inside getLastModDate() allows readUInt16LE() to exceed the buffer when the loop condition is cursor < data.length + 4 instead of cursor + 4
yauzl 安全漏洞
Yauzl is a Node.js decompression library developed by Josh Wolfe. Version 3.2.0 of Yauzl contains a security vulnerability, which stems from a minor error in the NTFS extended timestamp parser. This vulnerability may lead to a denial-of-service attack when processing specially crafted ZIP files...
EUVD-2025-10971
Malicious code in bioql PyPI...
CVE-2025-32949
This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...
CVE-2025-32944
The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the...
CVE-2025-32949
This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...
CVE-2025-32949
This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...
CVE-2025-32949 PeerTube User Import Authenticated Resource Exhaustion
This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...