CVE-2020-12265 — Path Traversal in decompress

Description

Versions of `decompress` prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing`../`. ## Recommendation Upgrade to version 4.2.1 or later.

How to fix CVE-2020-12265

To remediate CVE-2020-12265, upgrade the affected package to a fixed version below.

—upgrade to 4.2.1 or later

Is CVE-2020-12265 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-12265
PATCHgithub.com/kevva/decompress
WEBgithub.com/kevva/decompress/commit/967146e70f48be32ed1a69daa3941d681944d513
WEBgithub.com/kevva/decompress/issues/71
WEB