Description
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Remediation
References
https://github.com/kevva/decompress/issues/71
https://github.com/kevva/decompress/pull/73
https://www.npmjs.com/advisories/1217
Related Vulnerabilities
CVE-2022-2596 Vulnerability in maven package org.webjars.npm:node-fetch
CVE-2021-21479 Vulnerability in maven package com.sap.scimono:scimono-server
CVE-2021-23348 Vulnerability in npm package portprocesses
CVE-2022-29247 Vulnerability in npm package electron
CVE-2021-43812 Vulnerability in npm package @auth0/nextjs-auth0