Arbitrary File Overwrite

Advisory
Versions

Overview

Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory.

Remediation

For decompress-zip 0.2.x upgrade to 0.2.2 or later. For decompress-zip 0.3.x upgrade to 0.3.2 or later.

Resources

Snyk Report
Node.js Security-wg

Have content suggestions? Send them to [email protected]

Advisory timeline

published
Advisory Published
Jan 30th, 2019
reported
Reported by Snyk Security Team
Jan 30th, 2019

Arbitrary File Overwrite

Overview

Remediation

Resources

Advisory timeline

published

reported