CVE-2018-1002203: Arbitrary File Write via Archive Extraction in unzipper
5.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.8891%
CWE
Published
7/27/2018
Updated
9/20/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
unzipper | npm | < 0.8.13 | 0.8.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how ZIP entry paths are handled during extraction. The pre-patch code in lib/extract.js
used path.join(opts.path, entry.path)
without verifying if the resulting path remained within the target directory. The GitHub commit 2220ddd
shows the fix adds a check (extractPath.indexOf(opts.path) != 0
) to prevent traversal. This directly corresponds to CWE-22 path traversal via improper path sanitization in archive extraction logic.