Lucene search
K

25 matches found

OSV
OSV
added 2026/06/04 9:3 p.m.10 views

ROOT-APP-NPM-CVE-2026-31988 CVE-2026-31988 in @rootio/yauzl - Patched by Root

Root has patched CVE-2026-31988 in the @rootio/yauzl package for Root:npm. Multiple fixed versions available...

5.3CVSS5.9AI score0.00485EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.4 views

CVE-2026-31988

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS6AI score0.00485EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/03/13 12:23 a.m.1 views

SUSE CVE-2026-31988

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS6AI score0.00485EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/03/13 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2026-31988

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the...

6.9CVSS5.8AI score0.00485EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/03/12 12:35 a.m.6 views

@acabai/android (>=1.0.0 <=1.0.1), @addfox/cli (>=0.1.1 <=0.1.1-beta.16) +169 more potentially affected by CVE-2026-31988 via yauzl (=3.2.0)

yauzl NPM version =3.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on yauzl and may be impacted: - @acabai/android =1.0.0, =0.1.1, =0.1.1, =1.6.10, =3.4.26, =2.1.83, =1.2.7, =1.1.22, =8.0.0, =10.0.0, =10.0.0, =1.0.0, =1.0.1, =8.9.4, =9.10.1,...

6.9CVSS5.7AI score0.00485EPSS
Exploits0
Snyk
Snyk
added 2026/03/12 12:35 a.m.2 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error via the entry.getLastModDate function. An attacker can cause the process or the Node.js server to crash by submitting a malicious zip file containing a malformed NTFS extra field. PoC js // Direct demonstration of the...

6.9CVSS6AI score0.00485EPSS
Exploits0References2
OSV
OSV
added 2026/03/12 12:31 a.m.2 views

GHSA-GMQ8-994R-JV83 yauzl contains an off-by-one error

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS6.1AI score0.00485EPSS
Exploits0References6
vulnersOsv
vulnersOsv
added 2026/03/12 12:31 a.m.6 views

@acabai/android (>=1.0.0 <=1.0.1), @addfox/cli (>=0.1.1 <=0.1.1-beta.16) +169 more potentially affected by CVE-2026-31988 via yauzl (=3.2.0)

yauzl NPM version =3.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on yauzl and may be impacted: - @acabai/android =1.0.0, =0.1.1, =0.1.1, =1.6.10, =3.4.26, =2.1.83, =1.2.7, =1.1.22, =8.0.0, =10.0.0, =10.0.0, =1.0.0, =1.0.1, =8.9.4, =9.10.1,...

6.9CVSS5.7AI score0.00485EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/03/12 12:31 a.m.11 views

yauzl contains an off-by-one error

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS6AI score0.00485EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2026/03/11 11:16 p.m.2 views

CVE-2026-31988

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS0.00485EPSS
Exploits0References4
OSV
OSV
added 2026/03/11 11:16 p.m.5 views

UBUNTU-CVE-2026-31988

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS6AI score0.00485EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/11 10:58 p.m.2 views

CVE-2026-31988 yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS6AI score0.00485EPSS
Exploits0References4
CVE
CVE
added 2026/03/11 10:58 p.m.14 views

CVE-2026-31988

Vulnerability in yauzl 3.2.0 (Node.js): an off‑by‑one bug in the NTFS extended timestamp extra field parser inside getLastModDate() allows readUInt16LE() to exceed the buffer when the loop condition is cursor &lt; data.length + 4 instead of cursor + 4

6.9CVSS6AI score0.00485EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.7 views

yauzl 安全漏洞

Yauzl is a Node.js decompression library developed by Josh Wolfe. Version 3.2.0 of Yauzl contains a security vulnerability, which stems from a minor error in the NTFS extended timestamp parser. This vulnerability may lead to a denial-of-service attack when processing specially crafted ZIP files...

6.9CVSS5.8AI score0.00485EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-10971

Malicious code in bioql PyPI...

6.5CVSS6.5AI score0.00479EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/04/17 3:29 p.m.8 views

CVE-2025-32949

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...

6.5CVSS7AI score0.00463EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/04/17 2:52 p.m.7 views

CVE-2025-32944

The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the...

6.5CVSS6.9AI score0.00479EPSS
Exploits1References1
NVD
NVD
added 2025/04/15 3:16 p.m.10 views

CVE-2025-32949

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...

6.5CVSS0.00463EPSS
Exploits1References2
OSV
OSV
added 2025/04/15 3:16 p.m.3 views

CVE-2025-32949

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...

6.5CVSS7.1AI score
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/04/15 2:57 p.m.5 views

CVE-2025-32949 PeerTube User Import Authenticated Resource Exhaustion

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...

6.5CVSS6.5AI score0.00463EPSS
Exploits1References2
Rows per page
Query Builder