CVE-2022-48285
HIGHJSZip < 3.8.0 - Path Traversal via Crafted ZIP Archive
Title source: llmDescription
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/244499
Patch, Third Party Advisory
https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15
Third Party Advisory
https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0
Third Party Advisory
https://www.mend.io/vulnerability-database/WS-2023-0004
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0005/
Scores
CVSS v3
7.3
EPSS
0.0119
EPSS Percentile
79.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (2)
jszip_project/jszip
< 3.8.0
npm/jszip
0 - 3.8.0npm
Published
Jan 29, 2023
Tracked Since
Feb 18, 2026