CRITICALCVE-2022-0401CVSS 9.4

CVE-2022-0401: Path Traversal in w-zip Node.js Package

Platform

nodejs

Component

w-zip

Fixed in

1.0.12

AI Confidence: highNVDEPSS 0.7%Reviewed: May 2026

View on NVD

Save

CVE-2022-0401 is a critical Path Traversal vulnerability affecting versions of the w-zip Node.js package prior to 1.0.12. This vulnerability allows attackers to read arbitrary files on the system, potentially exposing sensitive data. The vulnerability was published on February 1, 2022, and a fix is available in version 1.0.12.

Impact and Attack Scenarios

The w-zip package is a widely used Node.js library for working with ZIP archives. This Path Traversal vulnerability arises from insufficient input validation when handling file paths. An attacker can craft malicious input that bypasses security checks and allows them to access files outside of the intended directory. This could include sensitive configuration files, source code, or even system files, depending on the permissions of the running process. The potential impact is severe, as an attacker could gain access to critical system information or compromise the entire application.

Exploitation Context

CVE-2022-0401 was quickly recognized as a significant risk and is actively monitored. Public proof-of-concept exploits are readily available, increasing the likelihood of exploitation. The vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog, indicating a high probability of exploitation. No active campaigns have been publicly confirmed, but the ease of exploitation makes it a prime target for opportunistic attackers.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.68% (72% percentile)

CVSS Vector

Affected Software

Componentw-zip

Vendoryuda-lyu

Affected rangeFixed in

unspecified – 1.0.121.0.12

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2022-01-28
Published2022-02-01
Modified2024-08-02
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2022-0401 is to immediately upgrade the w-zip package to version 1.0.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on file paths within your application code. While not a complete solution, this can help reduce the attack surface. Additionally, review your application's file permissions to ensure that the Node.js process only has access to the files it absolutely needs. After upgrading, confirm the fix by attempting to access a file outside the intended directory using a crafted input – the access should be denied.

How to fix

Update the w-zip dependency to version 1.0.12 or higher. This fixes the path traversal vulnerability. Run `npm install w-zip@latest` to update.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-0401 — Path Traversal in w-zip?

CVE-2022-0401 is a critical Path Traversal vulnerability in the w-zip Node.js package, allowing attackers to read arbitrary files.

Am I affected by CVE-2022-0401 in w-zip?

You are affected if you are using w-zip versions less than or equal to 1.0.12. Check your project dependencies immediately.

How do I fix CVE-2022-0401 in w-zip?

Upgrade the w-zip package to version 1.0.12 or later using npm or yarn. Implement stricter input validation as a temporary workaround.

Is CVE-2022-0401 being actively exploited?

Public proof-of-concept exploits are available, and the vulnerability is listed on the CISA KEV catalog, indicating a high likelihood of exploitation.

Where can I find the official w-zip advisory for CVE-2022-0401?

Refer to the npm advisory: https://www.npmjs.com/advisories/1733