npm

Severity: high

Arbitrary File Overwrite

fstream

Overview

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Remediation

Upgrade to version 1.0.12 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    May 15th, 2019
  2. reported

    Reported by Max Justicz
    May 15th, 2019