w-zip
Corrigido em
1.0.12
CVE-2022-0401 is a critical Path Traversal vulnerability affecting versions of the w-zip Node.js package prior to 1.0.12. This vulnerability allows attackers to read arbitrary files on the system, potentially exposing sensitive data. The vulnerability was published on February 1, 2022, and a fix is available in version 1.0.12.
The w-zip package is a widely used Node.js library for working with ZIP archives. This Path Traversal vulnerability arises from insufficient input validation when handling file paths. An attacker can craft malicious input that bypasses security checks and allows them to access files outside of the intended directory. This could include sensitive configuration files, source code, or even system files, depending on the permissions of the running process. The potential impact is severe, as an attacker could gain access to critical system information or compromise the entire application.
CVE-2022-0401 was quickly recognized as a significant risk and is actively monitored. Public proof-of-concept exploits are readily available, increasing the likelihood of exploitation. The vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog, indicating a high probability of exploitation. No active campaigns have been publicly confirmed, but the ease of exploitation makes it a prime target for opportunistic attackers.
Applications and services that rely on the w-zip Node.js package for ZIP archive manipulation are at risk. This includes web applications, backend services, and any automated processes that handle ZIP files. Projects using older versions of Node.js or those with complex dependency trees are particularly vulnerable, as they may not be aware of the dependency on w-zip.
• nodejs / supply-chain:
npm list w-zipIf the output shows a version less than 1.0.12, the system is vulnerable. • nodejs / supply-chain:
npm audit w-zipThis command will identify vulnerable dependencies and suggest remediation steps.
• generic web:
Inspect your application's code for any instances where the w-zip package is used to process user-supplied file paths. Look for any lack of validation or sanitization of these paths.
disclosure
poc
Status do Exploit
EPSS
0.68% (percentil 72%)
Vetor CVSS
The primary mitigation for CVE-2022-0401 is to immediately upgrade the w-zip package to version 1.0.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on file paths within your application code. While not a complete solution, this can help reduce the attack surface. Additionally, review your application's file permissions to ensure that the Node.js process only has access to the files it absolutely needs. After upgrading, confirm the fix by attempting to access a file outside the intended directory using a crafted input – the access should be denied.
Actualice la dependencia w-zip a la versión 1.0.12 o superior. Esto corrige la vulnerabilidad de path traversal. Ejecute `npm install w-zip@latest` para actualizar.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2022-0401 is a critical Path Traversal vulnerability in the w-zip Node.js package, allowing attackers to read arbitrary files.
You are affected if you are using w-zip versions less than or equal to 1.0.12. Check your project dependencies immediately.
Upgrade the w-zip package to version 1.0.12 or later using npm or yarn. Implement stricter input validation as a temporary workaround.
Public proof-of-concept exploits are available, and the vulnerability is listed on the CISA KEV catalog, indicating a high likelihood of exploitation.
Refer to the npm advisory: https://www.npmjs.com/advisories/1733
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.