CVE-2025-11569

Name of the Vulnerable Software and Affected Versions cross-zip (affected versions not specified)

Description The cross-zip JavaScript package, used for zipping and unzipping files in Node.js environments, is susceptible to a directory traversal issue. This arises from improper handling of user-supplied arguments in the zipSync() and unzipSync() functions, allowing attackers to access arbitrary files on the host system. Exploitation involves manipulating archive contents or extraction paths, potentially leading to information disclosure or further compromise. The issue occurs through consecutive usage of the zipSync() and unzipSync() functions with arguments such as dirname.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.