Miggo Logo

CVE-2018-1002203: Arbitrary File Write via Archive Extraction in unzipper

5.5

CVSS Score
3.0

Basic Information

EPSS Score
0.8891%
Published
7/27/2018
Updated
9/20/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
unzippernpm< 0.8.130.8.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how ZIP entry paths are handled during extraction. The pre-patch code in lib/extract.js used path.join(opts.path, entry.path) without verifying if the resulting path remained within the target directory. The GitHub commit 2220ddd shows the fix adds a check (extractPath.indexOf(opts.path) != 0) to prevent traversal. This directly corresponds to CWE-22 path traversal via improper path sanitization in archive extraction logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `unzipp*r` ***or* *.*.** *r* vuln*r**l* to *r*itr*ry *il* writ* w**n us** to *xtr**t * sp**i*i**lly *r**t** *r**iv* t**t *ont*ins p*t* tr*v*rs*l *il*n*m*s (`../../*il*.txt` *or *x*mpl*). ## R**omm*n**tion Up**t* to v*rsion *.*.** or l*

Reasoning

T** vuln*r**ility st*ms *rom *ow ZIP *ntry p*t*s *r* **n*l** *urin* *xtr**tion. T** pr*-p*t** *o** in `li*/*xtr**t.js` us** `p*t*.join(opts.p*t*, *ntry.p*t*)` wit*out v*ri*yin* i* t** r*sultin* p*t* r*m*in** wit*in t** t*r**t *ir**tory. T** *it*u* *o