Arbitrary File Write Vulnerability in Decompress Package for Node.js
CVE-2020-12265

9.8CRITICAL

Key Information:

Vendor

Decompress Project

Status
Decompress
Vendor
CVE Published:
26 April 2020

What is CVE-2020-12265?

The Decompress Package prior to version 4.2.1 for Node.js is affected by a vulnerability that allows an attacker to exploit a directory traversal flaw. By using symlinks in an archive member, unauthorized file writing to arbitrary locations on the file system may occur, leading to potential compromise of system integrity.

References

https://www.npmjs.com/advisories/1217
x_refsource_MISC
https://github.com/kevva/decompress/issues/71
x_refsource_MISC
https://github.com/kevva/decompress/pull/73
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.