npm

Severity: high

Arbitrary File Overwrite

decompress-zip

Overview

Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory.

Remediation

For decompress-zip 0.2.x upgrade to 0.2.2 or later. For decompress-zip 0.3.x upgrade to 0.3.2 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jan 30th, 2019
  2. reported

    Reported by Snyk Security Team
    Jan 30th, 2019