Skip to content

Arbitrary File Overwrite in decompress-zip

high severity Published Sep 2, 2020 • Updated Sep 27, 2021

Package

npm decompress-zip (npm)

Affected versions

< 0.2.2
>= 0.3.0, < 0.3.2

Patched versions

0.2.2
0.3.2

Description

Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory.

Recommendation

For decompress-zip 0.2.x upgrade to 0.2.2 or later.
For decompress-zip 0.3.x upgrade to 0.3.2 or later.

References

GHSA ID

GHSA-73v8-v6g4-vrpm