webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle

Description

An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature.

Recommendation

Update the webcrack package to the latest compatible version. Followings are version details:

• Affected version(s): <= 2.14.0
• Patched version(s): 2.14.1

References

• GHSA-ccqh-278p-xq6w
• CVE-2024-43373
• CWE-20
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• @appium/support has a Zip Slip arbitrary file write in its ZIP extraction - CVE-2026-30973
• Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
• Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
• SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522

You might also like:

Exploiting Server Version Disclosure

How do hackers hack websites?

Secure Coding 101: How to Read and Write Files Securely

Tags:

npm

webcrack