CVE-2020-12265

2020-04-2616:46:21

mitre

www.cve.org

AI Score

9.5

Confidence

High

EPSS

0.006

Percentile

78.9%

JSON

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via …/ in an archive member, when a symlink is used, because of Directory Traversal.

References

github.com/kevva/decompress/issues/71

github.com/kevva/decompress/pull/73

www.npmjs.com/advisories/1217