Description
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Remediation
References
https://github.com/kevva/decompress/pull/73
https://www.npmjs.com/advisories/1217
https://github.com/kevva/decompress/issues/71
Related Vulnerabilities
CVE-2021-23555 Vulnerability in npm package vm2
CVE-2022-36098 Vulnerability in maven package org.xwiki.platform:xwiki-platform-mentions-ui
CVE-2020-36378 Vulnerability in npm package aaptjs
CVE-2022-35961 Vulnerability in npm package @openzeppelin/contracts-upgradeable
CVE-2016-0791 Vulnerability in maven package org.jenkins-ci.main:jenkins-core