Vulnerability Details CVE-2021-23484
The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.3%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365
- https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085
- https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477
- https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365
- https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085
- https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477
Products affected by CVE-2021-23484
-
cpe:2.3:a:zip-local_project:zip-local:*