====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN102
_____________________________________________________________________

DATE                : 27/02/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running decompress package for Node.js.

=====================================================================
https://www.npmjs.com/advisories/1217
https://github.com/kevva/decompress/issues/71
_____________________________________________________________________

Severity: high
Arbitrary File Write

decompress


Overview

All versions of decompress are vulnerable to Arbitrary File Write. The
package fails to prevent extraction of files with relative paths,
allowing attackers to write to any folder in the system by including
filenames containing../.

Remediation

No fix is currently available. Consider using an alternative package
until a fix is made available.


Resources

    GitHub Issue


Advisory timeline

    published
    Advisory Published
    Feb 26th, 2020

    reported
    Reported by Oscar Arnflo
    Oct 15th, 2019


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================