CVE-2020-12265 – decompress

Package

Manager: npm
Name: decompress
Vulnerable Version: >=0 <4.2.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00737 pctl0.71956

Details

Path Traversal in decompress Versions of `decompress` prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing`../`. ## Recommendation Upgrade to version 4.2.1 or later.

Metadata

Created: 2020-09-03T21:16:27Z
Modified: 2023-04-18T14:49:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-qgfr-5hqp-vrw9/GHSA-qgfr-5hqp-vrw9.json
CWE IDs: ["CWE-22", "CWE-59"]
Alternative ID: GHSA-qgfr-5hqp-vrw9
Finding: F063
Auto approve: 1