Josh Wolfe

**Name of the Vulnerable Software and Affected Versions** yauzl version 3.2.0 **Description** yauzl, also known as Yet Another Unzip Library, version 3.2.0 for Node.js contains an off-by-one error within the `getLastModDate()` function, specifically in the NTFS extended timestamp extra field parser. The condition in a 'while' loop incorrectly checks `cursor < data.length + 4` instead of `cursor + 4 <= data.length`, which allows the `readUInt16LE()` function to read beyond the buffer's boundaries. A remote attacker can exploit this by sending a specially crafted zip file containing a malformed NTFS extra field, leading to a denial of service and a process crash due to an ERR OUT OF RANGE exception. This impacts any Node.js application that processes zip file uploads and calls `entry.getLastModDate()` on the parsed entries. **Recommendations** Update yauzl to version 3.2.1 or later.