CVE-2022-48285

CVE-2022-48285 affects JSZip: the loadAsync function in JSZip before 3.8.0 can be exploited to perform a directory traversal via crafted ZIP archives, enabling access to files outside the target directory. Remediation: upgrade to JSZip 3.8.0 or later, which fixes the issue.

CVE-2021-23413

CVE-2021-23413 affects jszip before 3.7.0. Crafting a ZIP with filenames equal to Object prototype properties (e.g., proto , toString) yields a returned object with a modified prototype. The connected IBM document confirms the CVE and description but provides no explicit remediation or patch vers...