Arbitrary file write and information disclosure via symlink validation bypass
Summary
extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files. A flaw was found in extract-zip. This vulnerability allows a remote attacker to craft a malicious zip file containing symbolic links that point to locations outside the intended extraction directory. When a user extracts this malicious archive, extract-zip fails to validate the symlink targets, leading to the creation of files in arbitrary locations on the system. This could enable an attacker to read or write to sensitive files, potentially leading to information disclosure or system compromise. A flaw was found in the extract-zip npm package. The package does not validate symlink targets when extracting ZIP archives. When processing a malicious ZIP file containing a symlink with a relative path (e.g., '../../../../etc/passwd'), extract-zip extracts the symlink without validation, allowing it to point outside the intended extraction directory. Depending on how extract-zip is used, an attacker could read arbitrary files (information disclosure) or write to arbitrary locations (arbitrary file write) on the system. Exploitation requires a user or automated process to extract a crafted ZIP archive. Red Hat severity: Important — CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Weakness: CWE-22. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- No patch is available for extract-zip. The upstream maintainer is unresponsive (last commit 4+ years ago), and no fix is expected. Users should avoid using this package to extract untrusted ZIP archives. As a workaround, validate symlink targets manually before extraction, use an alternative library such as adm-zip or yauzl with proper path validation, or run extraction in a sandboxed environment (container, isolated filesystem).
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.