Miggo Logo
Miggo Vulnerability Database
CVE-2025-11569

CVE-2025-11569: cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-11569
GHSA ID
GHSA-gj5f-73vh-wpf7
EPSS Score
0.49879%
CWE
CWE-22
Published
10/10/2025
Updated
10/10/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
cross-zipnpm<= 4.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability in cross-zip is a classic directory traversal issue. The root cause is a complete lack of input validation on the paths provided to the zip and unzip functions. The exploit demonstrated in the proof-of-concept (PoC) involves a two-step process:

  1. Arbitrary File Zipping: An attacker calls zipSync or zip with a path to a sensitive file on the server (e.g., /etc/passwd). The library does not check if this path is within the project's intended directory and proceeds to create a zip archive containing the sensitive file.

  2. Arbitrary File Extraction: The attacker then calls unzipSync or unzip to extract the newly created zip file. The contents (the sensitive file) are extracted into a directory that the attacker can then access, for example, a public web directory or a temporary folder from which they can read the file.

The vulnerable functions are zip, zipSync, unzip, and unzipSync. Both the synchronous and asynchronous versions of these functions are vulnerable because they use the underlying child_process module to execute system commands (zip and unzip or PowerShell equivalents on Windows) without sanitizing the input paths. This allows an attacker to read arbitrary files from the filesystem where the application is running.

Vulnerable functions

zipSync
index.js
The `zipSync` function is vulnerable to directory traversal because it does not validate or sanitize the `inPath` argument. An attacker can provide an absolute path to a sensitive file on the system (e.g., '/etc/passwd'), and this function will create a zip archive of that file. This is the first step in the two-stage attack.
unzipSync
index.js
The `unzipSync` function is used to complete the directory traversal attack. After a sensitive file has been zipped using `zipSync`, `unzipSync` is called to extract it into a location accessible by the attacker. The function does not perform any security checks on the file paths within the zip archive, allowing a file to be written outside of the intended destination directory if the zip archive was crafted to do so.
zip
index.js
Similar to `zipSync`, the `zip` function is vulnerable to directory traversal because it fails to sanitize the `inPath` argument. This allows an attacker to create a zip archive of any file on the system, which can then be extracted using the `unzip` function.
unzip
index.js
The `unzip` function, being the asynchronous counterpart to `unzipSync`, is also a key component of the vulnerability. It extracts files from a given archive without checking for malicious path entries (like '../'), enabling an attacker to write files outside the intended extraction directory.

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** *ross-zip *r* vuln*r**l* to *ir**tory Tr*v*rs*l vi* *ons**utiv* us*** o* zipSyn*() *n* unzipSyn* () *un*tions t**t *llow *r*um*nts su** *s __*irn*m*. *n *tt**k*r **n ****ss syst*m *il*s *y s*l**tiv*ly *oin* zip/unzip op*r*

Reasoning

T** vuln*r**ility in `*ross-zip` is * *l*ssi* *ir**tory tr*v*rs*l issu*. T** root **us* is * *ompl*t* l**k o* input v*li**tion on t** p*t*s provi*** to t** zip *n* unzip *un*tions. T** *xploit **monstr*t** in t** proo*-o*-*on**pt (Po*) involv*s * two