medium
5.5
CWE
22
Advisory Published
Advisory Published
CVE Published
Updated

CVE-2018-1002203: Path Traversal

First published: Wed Jul 25 2018(Updated: )

unzipper npm library before 0.8.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Credit: report@snyk.io

Affected SoftwareAffected VersionHow to fix
npm/unzipper<0.8.13
0.8.13
Unzip<0.8.13

Remedy

https://github.com/ZJONSSON/node-unzipper/commit/2220ddd5b58f6252069a4f99f9475441ad0b50cd

Remedy

https://github.com/ZJONSSON/node-unzipper/pull/59

Remedy

https://snyk.io/research/zip-slip-vulnerability

Remedy

https://snyk.io/vuln/npm:unzipper:20180415

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2018-1002203?

    CVE-2018-1002203 has a high severity rating due to its potential to allow arbitrary file writes and system compromise.

  • How do I fix CVE-2018-1002203?

    To fix CVE-2018-1002203, update the unzipper library to version 0.8.13 or later.

  • Which versions are affected by CVE-2018-1002203?

    CVE-2018-1002203 affects all versions of the unzipper library prior to version 0.8.13.

  • What kind of attack does CVE-2018-1002203 enable?

    CVE-2018-1002203 enables directory traversal attacks that can lead to unauthorized file access and manipulation.

  • Is CVE-2018-1002203 related to other vulnerabilities?

    CVE-2018-1002203 is also known as 'Zip-Slip', which is a broader category of vulnerabilities affecting zip file handling.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203