Description
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.
Remediation
References
https://github.com/kevva/decompress/pull/73
https://www.npmjs.com/advisories/1217
https://github.com/kevva/decompress/issues/71
Related Vulnerabilities
CVE-2014-7810 Vulnerability in maven package org.mortbay.jasper:apache-el
CVE-2023-1784 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-parent
CVE-2020-11021 Vulnerability in npm package @actions/http-client
CVE-2022-2596 Vulnerability in npm package node-fetch
CVE-2023-47324 Vulnerability in maven package org.silverpeas.core:silverpeas-core-war