CVE-2018-1002204

Name of the Vulnerable Software and Affected Versions adm-zip versions prior to 0.4.9

Description The issue is related to a directory traversal vulnerability, also known as 'Zip-Slip', which allows attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This can be exploited by a remote attacker using a specially crafted archive, potentially leading to arbitrary code execution. The vulnerability is due to incorrect restriction of the directory path name in the extractDir function of the Adm-zip library for Node.js.

Recommendations Update to version 0.4.9 or later. As a temporary workaround, consider restricting the use of the extractDir function until a patch is available. Avoid using the adm-zip library to extract archives from untrusted sources until the issue is resolved.