Skip to content

Path Traversal in decompress

Critical severity GitHub Reviewed Published Sep 3, 2020 • Updated Jul 29, 2021

Package

npm decompress (npm)

Affected versions

< 4.2.1

Patched versions

4.2.1

Description

Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../.

Recommendation

Upgrade to version 4.2.1 or later.

References

CVE ID

CVE-2020-12265

CVSS Score

9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H