Source: node-extract-zip
Version: 2.0.1+ds-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for node-extract-zip.

CVE-2026-56876[0]:
| extract-zip does not validate symlink targets when extracting zip
| archives. When processing a malicious zip file containing a symlink
| with a relative path like '../../../../etc/passwd', extract-zip will
| extract the symlink without validation, allowing it to point outside
| the extraction directory. Depending on how extract-zip is used, an
| attacker could read or write to arbitrary files.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56876
    https://www.cve.org/CVERecord?id=CVE-2026-56876
[1] 
https://github.com/ziad626/extract-zip-security-research/security/advisories/GHSA-x7jf-2287-qcpf

Regards,
Salvatore

-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to