Homepage

decompress@4.2.1

Extracting archives made easy

  • latest version

    4.2.1

  • first published

    12 years ago

  • latest version published

    6 years ago

  • licenses detected

  • View decompress package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the decompress package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Arbitrary File Write via Archive Extraction (Zip Slip)

    decompress is a package that can be used for extracting archives.

    Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive.

    Note:

    This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for CVE-2020-12265.

    How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

    There is no fixed version for decompress.

    *
    Go back to all versions of this package