Description
Affected versions of superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.
Recommendation
Update the superagent package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.7.0
- Patched version(s): 3.7.0
References
Related Issues
- Marked vulnerable to XSS from data URIs - CVE-2017-1000427
- link-preview-js vulnerable to IPv6 and internal loopback attacks - CVE-2026-43897
- ejs is vulnerable to remote code execution due to weak input validation - CVE-2017-1000228
- Sanitize-html Vulnerable To REDoS Attacks - CVE-2022-25887
You might also like:
- Tags:
- npm
- superagent
Anything's wrong? Let us know Last updated on September 08, 2023


