Extract Zip
Monthly
Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, though the CVSS 4.0 base score of 8.6 reflects high confidentiality and integrity impact.
Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, though the CVSS 4.0 base score of 8.6 reflects high confidentiality and integrity impact.