Description
Affected versions of superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.
Recommendation
Update the superagent package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.7.0
- Patched version(s): 3.7.0
References
Related Issues
- svelte vulnerable to Cross-site Scripting - CVE-2025-15265
- Angular vulnerable to Cross-site Scripting - CVE-2020-7676
- angular Prototype Pollution vulnerability - CVE-2019-10768
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- Tags:
- npm
- superagent
Anything's wrong? Let us know Last updated on September 08, 2023