Extracting the malicous file will result in traversing out of the target folder, ending up in /root/. The following is an example of a zip archive with one benign file and one malicious file. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. For instance, a zip may hold a file with a "././file.exe" location and thus break out of the target folder. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. The structure of this fork is similar to the original, but uses. Any files are buffered into memory before passing on to entry. It is exploited using a specially crafted zip archive, that holds path traversal filenames. This is an active fork and drop-in replacement of the node-unzip and addresses the following issues: finish/close events are not always triggered, particular when the input stream is slower than the receivers.
![npm unzipper npm unzipper](https://user-images.githubusercontent.com/6135313/31772020-c0416b2a-b510-11e7-9aed-56ee3c9b050a.png)
Based on project statistics from the GitHub repository for the npm package thx/unzipper, we found that it has been starred 2 times, and that 6 other projects in the ecosystem are dependent on it.
#Npm unzipper install
As such, we scored thx/unzipper popularity level to be Limited. extendscript unzip fileunzip file electronjshow to unzip files in node.jshow to rename zip file nodejsnpm simple zip file creatornpm install apmplifynpm.
![npm unzipper npm unzipper](https://res.cloudinary.com/hl8zoliad/raw/upload/npm/@bigfunger/decompress-zip.png)
Unzipper is an Unzip cross-platform streaming API.Īffected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip"). The npm package thx/unzipper receives a total of 33 downloads a week.