Mafintosh

**Name of the Vulnerable Software and Affected Versions** tar-fs versions prior to 3.0.9 tar-fs versions prior to 2.1.3 tar-fs versions prior to 1.16.5 **Description** The issue in tar-fs allows an extract to write outside the specified directory with a specific tarball. This is due to improper limitation of a pathname to a restricted directory, also known as path traversal. **Recommendations** For versions prior to 3.0.9, update to version 3.0.9 or later. For versions prior to 2.1.3, update to version 2.1.3 or later. For versions prior to 1.16.5, update to version 1.16.5 or later. As a temporary workaround, consider using the ignore option to ignore non-files/directories.

**Name of the Vulnerable Software and Affected Versions** ws versions prior to 1.0.1 **Description** A vulnerability was found in the ping functionality of the ws module, allowing clients to allocate memory by sending a ping frame. The ping functionality responds with a pong frame and the previously given payload of the ping frame. Internally, ws transforms all data to be sent into a Buffer instance without checking the type of data, which leads to the vulnerability. This issue can cause a remote memory disclosure in certain circumstances, potentially disclosing sensitive information that still exists in memory after previous use. **Recommendations** Update to version 1.0.1 or greater. As a temporary workaround, consider restricting the use of the `client.ping()` function to minimize the risk of exploitation.