Description
The extract() function uses String.indexOf() for path validation, which is substring matching not path-aware checking. A crafted zip entry path like ../../tmp/extractEvil/hacked.txt bypasses the check because path.join() resolves .. then indexOf finds the prefix match. This allows writing files outside the target extraction directory. Bypasses the fix for CVE-2018-1002203.
Severity
high - CWE-22
Affected Versions
= 0.8.13 <= 0.12.3
Vulnerable Code
File: lib/extract.js:23
Proof of Concept
Create zip with entry '../../tmp/extractEvil/hacked.txt'. Extract to /tmp/extract. File is written to /tmp/extractEvil/hacked.txt instead.
Impact
This vulnerability allows an attacker to the extract() function uses string.indexof() for path validation, which is substring matching not path-aware checking. a crafted zip entry path like ../../tmp/extractevil/hacked.txt bypasses the check because path.join() resolves .. then indexof finds the prefix match. this allows writing files outside the target extraction directory. bypasses the fix for cve-2018-1002203..
Suggested Fix
See details in the full advisory.
Reported via automated bug bounty pipeline
Description
The extract() function uses String.indexOf() for path validation, which is substring matching not path-aware checking. A crafted zip entry path like ../../tmp/extractEvil/hacked.txt bypasses the check because path.join() resolves .. then indexOf finds the prefix match. This allows writing files outside the target extraction directory. Bypasses the fix for CVE-2018-1002203.
Severity
high - CWE-22
Affected Versions
Vulnerable Code
File:
lib/extract.js:23Proof of Concept
Create zip with entry '../../tmp/extractEvil/hacked.txt'. Extract to /tmp/extract. File is written to /tmp/extractEvil/hacked.txt instead.
Impact
This vulnerability allows an attacker to the extract() function uses string.indexof() for path validation, which is substring matching not path-aware checking. a crafted zip entry path like ../../tmp/extractevil/hacked.txt bypasses the check because path.join() resolves .. then indexof finds the prefix match. this allows writing files outside the target extraction directory. bypasses the fix for cve-2018-1002203..
Suggested Fix
See details in the full advisory.
Reported via automated bug bounty pipeline