{"id":"CVE-2018-1002203","details":"unzipper npm library before 0.8.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.","aliases":["GHSA-884w-698f-927f"],"modified":"2026-05-28T04:04:31.164382719Z","published":"2018-07-25T17:29:01.157Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"0.8.13"}],"source":"CPE_RANGE","cpes":["cpe:2.3:a:unzipper_project:unzipper:*:*:*:*:*:node.js:*:*"],"vendor_product":"unzipper_project:unzipper"},{"extracted_events":[{"fixed":"0.8.13"}],"source":"DESCRIPTION"}]},"references":[{"type":"FIX","url":"https://github.com/ZJONSSON/node-unzipper/commit/2220ddd5b58f6252069a4f99f9475441ad0b50cd"},{"type":"FIX","url":"https://github.com/ZJONSSON/node-unzipper/pull/59"},{"type":"FIX","url":"https://snyk.io/research/zip-slip-vulnerability"},{"type":"FIX","url":"https://snyk.io/vuln/npm:unzipper:20180415"},{"type":"EVIDENCE","url":"https://github.com/snyk/zip-slip-vulnerability"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zjonsson/node-unzipper","events":[{"introduced":"0"},{"fixed":"2220ddd5b58f6252069a4f99f9475441ad0b50cd"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v0.1.11","v0.1.10","v0.1.8","v0.1.7","v0.1.6","v0.1.6-alpha","v0.1.5","v0.1.4","v0.1.3","v0.1.2","v0.1.1","v0.1.0","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1002203.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}