decompress 4.1.0

Direct Vulnerabilities

Known vulnerabilities in the decompress package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Arbitrary File Write via Archive Extraction (Zip Slip) decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. Note: This bypasses all existing path traversal protections including `preventWritingThroughSymlink`, added as a part of the fix for CVE-2020-12265. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? There is no fixed version for `decompress`.	*
M Arbitrary File Write via Archive Extraction (Zip Slip) decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip). It is possible to bypass the security measures provided by decompress and conduct ZIP path traversal through symlinks. PoC `const decompress = require('decompress'); decompress('slip.tar.gz', 'dist').then(files => { console.log('done!'); });` How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `decompress` to version 4.2.1 or higher.	<4.2.1

Vulnerability

Vulnerable Version

Arbitrary File Write via Archive Extraction (Zip Slip)

decompress is a package that can be used for extracting archives.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive.

Note:

This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for CVE-2020-12265.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

There is no fixed version for decompress.

Arbitrary File Write via Archive Extraction (Zip Slip)

decompress is a package that can be used for extracting archives.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip). It is possible to bypass the security measures provided by decompress and conduct ZIP path traversal through symlinks.

PoC

const decompress = require('decompress');

decompress('slip.tar.gz', 'dist').then(files => {
    console.log('done!');
});

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade decompress to version 4.2.1 or higher.

<4.2.1

decompress@4.1.0

Extracting archives made easy

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC