CVE-2022-48285
Directory Traversal vulnerability in jszip (npm)
What is CVE-2022-48285 About?
This vulnerability in `JSZip` before version 3.8.0 allows for directory traversal when processing a crafted ZIP archive. An attacker can create a malicious ZIP file that, when extracted, attempts to write files outside of the intended directory. This can lead to arbitrary file creation or overwrites, and exploitation is easy with a specially prepared archive.
Affected Software
Technical Details
The vulnerability affects JSZip versions prior to 3.8.0, specifically within the loadAsync function. It stems from insufficient validation of file paths contained within a ZIP archive. An attacker can craft a ZIP file containing entries with paths that include directory traversal sequences (e.g., ../../). When JSZip extracts such an archive using loadAsync, it fails to properly sanitize or canonicalize these malicious paths, causing files to be written to arbitrary locations on the file system outside of the intended extraction directory. This can lead to overwriting critical system files, creating new malicious files, or data leakage, depending on the attacker's objectives and the privileges of the executing process.
What is the Impact of CVE-2022-48285?
Successful exploitation may allow attackers to write arbitrary files to the file system, leading to data corruption, denial of service, or potentially remote code execution if sensitive system files are overwritten or executable files are placed in trusted locations.
What is the Exploitability of CVE-2022-48285?
Exploitation is of low complexity. The primary prerequisite is that an application uses a vulnerable version of JSZip and processes untrusted ZIP archives via the loadAsync function. No specific authentication is required if the attacker can provide the malicious ZIP file to the application. Privilege requirements depend on the context in which JSZip is executed; the impact aligns with the privileges of the running process. This can be a remote vulnerability if the application allows remote upload or processing of ZIP files. The special condition is the application's direct consumption of ZIP files from untrusted sources. The likelihood of exploitation is high if common application workflows involve decompressing user-supplied archives.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-48285?
Available Upgrade Options
- jszip
- <3.8.0 → Upgrade to 3.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20240621-0005/
- https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15
- https://github.com/Stuk/jszip
- https://exchange.xforce.ibmcloud.com/vulnerabilities/244499
- https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15
- https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0
- https://osv.dev/vulnerability/GHSA-36fh-84j7-cv5h
- https://www.mend.io/vulnerability-database/WS-2023-0004
- https://security.netapp.com/advisory/ntap-20240621-0005
- https://exchange.xforce.ibmcloud.com/vulnerabilities/244499
What are Similar Vulnerabilities to CVE-2022-48285?
Similar Vulnerabilities: CVE-2022-26922 , CVE-2021-39230 , CVE-2020-14144 , CVE-2020-14920 , CVE-2019-17543
