Description
The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.
Remediation
References
https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365
https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085
https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477
Related Vulnerabilities
CVE-2019-13127 Vulnerability in maven package org.webjars.bowergithub.jgraph:mxgraph
CVE-2022-39387 Vulnerability in maven package org.xwiki.contrib.oidc:oidc-authenticator
CVE-2023-35088 Vulnerability in maven package org.apache.inlong:manager-service
CVE-2022-24846 Vulnerability in maven package org.geowebcache:gwc-diskquota-jdbc
CVE-2023-6886 Vulnerability in maven package com.xnx3.wangmarket:wangmarket