CVE-2020-12265
Arbitrary File Write vulnerability in decompress (npm)
What is CVE-2020-12265 About?
This vulnerability in `decompress` versions prior to 4.2.1 allows for arbitrary file write due to a failure to prevent extraction of files with relative paths. Attackers can write files to any folder on the system by crafting malicious archive contents. This can lead to remote code execution or system compromise.
Affected Software
Technical Details
The decompress package older than 4.2.1 is vulnerable to Arbitrary File Write due to improper handling of file paths during extraction. The package does not adequately sanitize or validate filenames within compressed archives. This allows an attacker to include filenames containing directory traversal sequences, specifically ../, within the archive. When the archive is decompressed, these relative paths cause the extractor to write files outside of the intended extraction directory, potentially into sensitive system locations. By writing to system-critical files or web server directories, an attacker can achieve remote code execution, overwrite data, or cause denial of service.
What is the Impact of CVE-2020-12265?
Successful exploitation may allow attackers to write arbitrary files to any location on the file system, leading to remote code execution, data destruction, or denial of service.
What is the Exploitability of CVE-2020-12265?
Exploitation is moderate in complexity. It requires an attacker to provide a specially crafted malicious archive to an application that uses the decompress package for file extraction. This is typically a remote exploitation vector if the application accepts and decompresses untrusted user-uploaded archives. No specific authentication or high privileges are generally required beyond the ability to upload or submit a malicious archive. The primary condition for exploitation is an application that uses the decompress library to process untrusted archives without proper path sanitization. Risk factors include file upload functionalities that automatically decompress user-provided content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-12265?
About the Fix from Resolved Security
This patch prevents directory traversal attacks (zip slip) by ensuring that, when extracting files, directories and files can only be created inside the intended output directory. It fixes CVE-2020-12265 by rejecting extraction if a file path attempts to escape the target directory using '..' or symlinks, effectively blocking malicious archive entries from writing outside the extraction root.
Available Upgrade Options
- decompress
- <4.2.1 → Upgrade to 4.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/kevva/decompress/pull/73
- https://github.com/kevva/decompress/issues/71
- https://github.com/kevva/decompress/commit/967146e70f48be32ed1a69daa3941d681944d513
- https://osv.dev/vulnerability/GHSA-qgfr-5hqp-vrw9
- https://nvd.nist.gov/vuln/detail/CVE-2020-12265
- https://github.com/kevva/decompress
- https://www.npmjs.com/advisories/1217
- https://github.com/kevva/decompress/pull/73
- https://github.com/kevva/decompress/issues/71
What are Similar Vulnerabilities to CVE-2020-12265?
Similar Vulnerabilities: CVE-2020-7677 , CVE-2020-7679 , CVE-2020-7655 , CVE-2022-37607 , CVE-2020-28500
