PT-2025-41501 · Npm · Cross-Zip
Mcoimbra
+1
·
Publicado
2025-10-10
·
Atualizado
2025-10-15
·
CVE-2025-11569
CVSS v4.0
7.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P |
Name of the Vulnerable Software and Affected Versions
cross-zip (affected versions not specified)
Description
The
cross-zip JavaScript package, used for zipping and unzipping files in Node.js environments, is susceptible to a directory traversal issue. This arises from improper handling of user-supplied arguments in the zipSync() and unzipSync() functions, allowing attackers to access arbitrary files on the host system. Exploitation involves manipulating archive contents or extraction paths, potentially leading to information disclosure or further compromise. The issue occurs through consecutive usage of the zipSync() and unzipSync() functions with arguments such as dirname.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Cross-Zip