N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11569

GHSA ID

GHSA-gj5f-73vh-wpf7

EPSS Score

0.49879%

CWE

CWE-22

Published

10/10/2025

Updated

10/10/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11569

CVE-2025-11569: cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations

All versions of the package cross-zip are vulnerable to Directory Traversal via consecutive usage of zipSync() and unzipSync () functions that allow arguments such as __dirname. An attacker can access system files by selectively doing zip/unzip operations.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-11569

CVE-2025-11569:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11569

GHSA ID

GHSA-gj5f-73vh-wpf7

EPSS Score

0.49879%

CWE

CWE-22

Published

10/10/2025

Updated

10/10/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cross-zip	npm	<= 4.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in cross-zip is a classic directory traversal issue. The root cause is a complete lack of input validation on the paths provided to the zip and unzip functions. The exploit demonstrated in the proof-of-concept (PoC) involves a two-step process:

Arbitrary File Zipping: An attacker calls zipSync or zip with a path to a sensitive file on the server (e.g., /etc/passwd). The library does not check if this path is within the project's intended directory and proceeds to create a zip archive containing the sensitive file.
Arbitrary File Extraction: The attacker then calls unzipSync or unzip to extract the newly created zip file. The contents (the sensitive file) are extracted into a directory that the attacker can then access, for example, a public web directory or a temporary folder from which they can read the file.

The vulnerable functions are zip, zipSync, unzip, and unzipSync. Both the synchronous and asynchronous versions of these functions are vulnerable because they use the underlying child_process module to execute system commands (zip and unzip or PowerShell equivalents on Windows) without sanitizing the input paths. This allows an attacker to read arbitrary files from the filesystem where the application is running.

Vulnerable functions

zipSync

index.js

The `zipSync` function is vulnerable to directory traversal because it does not validate or sanitize the `inPath` argument. An attacker can provide an absolute path to a sensitive file on the system (e.g., '/etc/passwd'), and this function will create a zip archive of that file. This is the first step in the two-stage attack.

unzipSync

index.js

The `unzipSync` function is used to complete the directory traversal attack. After a sensitive file has been zipped using `zipSync`, `unzipSync` is called to extract it into a location accessible by the attacker. The function does not perform any security checks on the file paths within the zip archive, allowing a file to be written outside of the intended destination directory if the zip archive was crafted to do so.

zip

index.js

Similar to `zipSync`, the `zip` function is vulnerable to directory traversal because it fails to sanitize the `inPath` argument. This allows an attacker to create a zip archive of any file on the system, which can then be extracted using the `unzip` function.

unzip

index.js

The `unzip` function, being the asynchronous counterpart to `unzipSync`, is also a key component of the vulnerability. It extracts files from a given archive without checking for malicious path entries (like '../'), enabling an attacker to write files outside the intended extraction directory.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-11569: cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations

CVE-2025-11569:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Basic Information

Basic Information

Technical Details

CVE-2025-11569: cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI