bower is vulnerable to arbitrary file write attacks. The vulnerability exists as it fails to restrict extracting files that are referencing symbolic links, allowing arbitrary files to be written during decompression.
github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
hackerone.com/reports/473811
lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E