Source: node-extract-zip Version: 2.0.1+ds-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-extract-zip. CVE-2026-56876[0]: | extract-zip does not validate symlink targets when extracting zip | archives. When processing a malicious zip file containing a symlink | with a relative path like '../../../../etc/passwd', extract-zip will | extract the symlink without validation, allowing it to point outside | the extraction directory. Depending on how extract-zip is used, an | attacker could read or write to arbitrary files. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-56876 https://www.cve.org/CVERecord?id=CVE-2026-56876 [1] https://github.com/ziad626/extract-zip-security-research/security/advisories/GHSA-x7jf-2287-qcpf Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
