CVE-2020-12265
CRITICALdecompress < 4.2.1 - Arbitrary File Write via Symlink Path Traversal
Title source: llmDescription
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://www.npmjs.com/advisories/1217
Exploit, Third Party Advisory x_refsource_misc
https://github.com/kevva/decompress/issues/71
Patch, Third Party Advisory x_refsource_misc
https://github.com/kevva/decompress/pull/73
Scores
CVSS v3
9.8
EPSS
0.0246
EPSS Percentile
82.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
CWE-59
Status
published
Products (2)
decompress_project/decompress
< 4.2.1
npm/decompress
0 - 4.2.1npm
Published
Apr 26, 2020
Tracked Since
Feb 18, 2026