CVE-2021-23484

CRITICAL

zip-local < 0.3.5 - Arbitrary File Write via Archive Extraction

Title source: llm

Description

The package zip-local before 0.3.5 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) which can lead to an extraction of a crafted file outside the intended extraction directory.

References (3)

Core 3

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477

Broken Link, Third Party Advisory x_refsource_misc

https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365

Patch, Third Party Advisory x_refsource_misc

https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0205

EPSS Percentile 78.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

npm/zip-local 0 - 0.3.5npm

zip-local_project/zip-local < 0.3.5

Published Jan 28, 2022

Tracked Since Feb 18, 2026