Decompress
Monthly
Arbitrary file write in the npm decompress package (all versions) exploits a second-generation Zip Slip bypass that circumvents protections introduced in the CVE-2020-12265 fix. By crafting a ZIP archive where a symlink entry and a same-named regular file share an identical path, an attacker leverages microtask scheduling order to write file contents through the unresolved symlink to arbitrary locations outside the extraction output directory, creating a realistic path to remote code execution. Publicly available exploit code exists per the E:P temporal modifier and a published PoC Gist, elevating real-world concern especially for applications processing untrusted archives in automated pipelines.
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Arbitrary file write in the npm decompress package (all versions) exploits a second-generation Zip Slip bypass that circumvents protections introduced in the CVE-2020-12265 fix. By crafting a ZIP archive where a symlink entry and a same-named regular file share an identical path, an attacker leverages microtask scheduling order to write file contents through the unresolved symlink to arbitrary locations outside the extraction output directory, creating a realistic path to remote code execution. Publicly available exploit code exists per the E:P temporal modifier and a published PoC Gist, elevating real-world concern especially for applications processing untrusted archives in automated pipelines.
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.