Description
Affected versions of superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.
Recommendation
Update the superagent package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.7.0
- Patched version(s): 3.7.0
References
Related Issues
- Marked vulnerable to XSS from data URIs - CVE-2017-1000427
- ejs vulnerable to DoS due to weak input validation - CVE-2017-1000189
- mde ejs vulnerable to XSS - CVE-2017-1000188
- ejs is vulnerable to remote code execution due to weak input validation - CVE-2017-1000228
- Tags:
- npm
- superagent
Anything's wrong? Let us know Last updated on September 08, 2023