Description
Affected versions of superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.
Recommendation
Update the superagent package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.7.0
- Patched version(s): 3.7.0
References
Related Issues
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- Prebid.js NPM package briefly compromised - CVE-2025-59038
- devalue prototype pollution vulnerability - CVE-2025-57820
- js-toml Prototype Pollution Vulnerability - CVE-2025-54803
- Tags:
- npm
- superagent
Anything's wrong? Let us know Last updated on September 08, 2023