Skip to content

Arbitrary File Write in adm-zip

high severity GitHub Reviewed Published Jul 27, 2018 • Updated Jan 8, 2021

Package

npm adm-zip (npm)

Affected versions

< 0.4.11

Patched versions

0.4.11

Description

Versions of adm-zip before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames (../../file.txt for example).

Recommendation

Update to version 0.4.9 or later.

References

CVE ID

CVE-2018-1002204