Moderate severityNVD Advisory· Published Jul 25, 2018· Updated Aug 5, 2024

CVE-2018-1002204

Description

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

adm-zip npm library before 0.4.9 suffers from a Zip-Slip directory traversal vulnerability, allowing attackers to overwrite arbitrary files via a crafted archive.

Vulnerability

The adm-zip npm library versions before 0.4.9 contain a directory traversal vulnerability during archive extraction, commonly known as Zip-Slip [1][2][3]. The library does not validate or sanitize file paths within ZIP archive entries. When extracting a ZIP file, a crafted entry with a filename containing ../ (dot dot slash) sequences is concatenated directly to the destination extraction directory. This allows the final resolved path to escape the intended target folder. The vulnerable code exists in the extraction logic that processes ZipEntry names without path normalization [2][3]. All versions of adm-zip prior to 0.4.9 are affected [1][4].

Exploitation

To exploit this vulnerability, an attacker must deliver a specially crafted ZIP archive to a system or application that uses the adm-zip library for extraction [2][3]. The attacker does not need authentication if the extraction is triggered by an unauthenticated user or automated process. The archive contains one or more entries with path traversal filenames, for example ../../evil.sh or ../../../../../../root/.ssh/authorized_keys [3][4]. When the vulnerable code extracts the archive, it creates files at the traversed path. The attack can be performed by any mechanism that allows the user to supply a ZIP file (e.g., file upload, email attachment, download from a malicious source) [2]. No special privileges beyond the ability to trigger extraction are needed.

Impact

Successful exploitation allows an attacker to write arbitrary files to the file system outside the intended extraction directory [1][4]. This can lead to overwriting executable files, configuration files, or sensitive system files (such as SSH authorized_keys). Depending on the context, the attacker may achieve remote code execution if the overwritten file is an executable that is later invoked, or may gain unauthorized access by modifying security-sensitive files [3][4]. The compromise occurs at the privilege level of the process performing the extraction, potentially affecting both client machines and servers [3].

Mitigation

The vulnerability is fixed in adm-zip version 0.4.11 and later [4]. Users should upgrade to version 0.4.11 or higher to remediate the issue. No workaround is provided in the references, but general best practices for processing archive files include validating and sanitizing entry paths against directory traversal patterns before extraction [2][3]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
adm-zipnpm	< 0.4.11	0.4.11

Affected products

adm-zip/adm-zipllm-create
Range: <0.4.9
ghsa-coords
pkg:npm/adm-zip
Range: < 0.4.11
node.js/adm-zipv5
Range: unspecified

Patches

62f64004fefb

Merge pull request #212 from aviadatsnyk/master

https://github.com/cthackers/adm-zipThe BrainApr 23, 2018via ghsa

commit

1 file changed · +11 −0

adm-zip.js+11 −0 modified

@@ -354,6 +354,9 @@ module.exports = function(/*String*/input) {
 
 
             var target = pth.resolve(targetPath, maintainEntryPath ? entryName : pth.basename(entryName));
+            if(!target.startsWith(targetPath)) {
+                throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+            }
 
             if (item.isDirectory) {
                 target = pth.resolve(target, "..");
@@ -429,6 +432,10 @@ module.exports = function(/*String*/input) {
             _zip.entries.forEach(function(entry) {
                 entryName = entry.entryName.toString();
 
+                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                    throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+                }
+
                 if(isWin){
                     entryName = escapeFileName(entryName)
                 }
@@ -471,6 +478,10 @@ module.exports = function(/*String*/input) {
                     entryName = escapeFileName(entryName)
                 }
 
+                if(!pth.resolve(targetPath, entryName).startsWith(targetPath)) {
+                  throw Utils.Errors.INVALID_FILENAME + ": " + entryName;
+                }
+
                 if (entry.isDirectory) {
                     Utils.makeDir(pth.resolve(targetPath, entryName));
                     if(--i == 0)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3v6h-hqm4-2rg6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-1002204ghsaADVISORY
www.securityfocus.com/bid/107001ghsavdb-entryx_refsource_BIDWEB
github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25ghsax_refsource_CONFIRMWEB
github.com/cthackers/adm-zip/pull/212ghsax_refsource_CONFIRMWEB
hackerone.com/reports/362118ghsaWEB
snyk.io/research/zip-slip-vulnerabilityghsax_refsource_MISCWEB
snyk.io/vuln/npm:adm-zip:20180415ghsax_refsource_MISCWEB
www.npmjs.com/advisories/681ghsaWEB
www.npmjs.com/advisories/994ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.014
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000