Homepage

@pnpm/fetching.binary-fetcher@1005.0.1 vulnerabilities

A fetcher for binary archives

  • latest version

    1005.0.3

  • latest non vulnerable version

    1005.0.3

  • first published

    6 months ago

  • latest version published

    17 days ago

  • licenses detected

  • View fetching.binary-fetcher package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @pnpm/fetching.binary-fetcher package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Untrusted Search Path

    @pnpm/fetching.binary-fetcher is a fetcher for binary archives

    Affected versions of this package are vulnerable to Untrusted Search Path via the extractZipToTarget function and the use of unvalidated prefix values. An attacker can overwrite arbitrary files on the file system by supplying malicious ZIP archives with crafted paths or by manipulating the prefix field to escape the intended extraction directory.

    Note: Exploitation requires the attacker to publish and convince the user to install a malicious package.

    How to fix Untrusted Search Path?

    Upgrade @pnpm/fetching.binary-fetcher to version 1005.0.2 or higher.

    <1005.0.2
    Go back to all versions of this package