Denial of Service (DoS)
Description
JSZip before version 3.7.0 allows prototype pollution through specially crafted filenames, leading to a Denial of Service (DoS) when extracting the zip.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JSZip before version 3.7.0 allows prototype pollution through specially crafted filenames, leading to a Denial of Service (DoS) when extracting the zip.
Vulnerability
The vulnerability resides in the JSZip library (versions before 3.7.0) used for creating, reading, and editing .zip files in JavaScript. When processing a crafted zip archive, filenames that are set to Object prototype property names such as __proto__, toString, and others are assigned directly onto the result object. This pollutes the object's prototype, which can cause unexpected behavior or crashes when the object is subsequently used [1][2].
Exploitation
An attacker needs to craft a malicious zip file containing entries whose filenames are Object prototype property names. The victim must then load this archive using the jszip.loadAsync() method (or similar API) in an application that uses the vulnerable library. No special authentication or network position beyond being able to deliver the zip file to the victim's application is required. The provided proof-of-concept demonstrates that calling zip.files.toString() after loading such a malicious zip throws an exception [2][3].
Impact
Successful exploitation results in a Denial of Service (DoS). The prototype pollution corrupts the internal state of the JSZip object, causing operations like property access or method calls (e.g., toString) to throw exceptions, thereby crashing or hanging the consuming application [2]. The impact is limited to availability; there is no evidence of code execution or information disclosure in the available references.
Mitigation
The fix is to upgrade JSZip to version 3.7.0 or later for the npm package (jszip), or to version 3.7.1 or later for the Java WebJars variants (org.webjars.npm:jszip and org.webjars:jszip) [2][3][4]. No workarounds are documented. As of the publication date (July 2021), this CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jszipnpm | >= 3.0.0, < 3.7.0 | 3.7.0 |
jszipnpm | < 2.7.0 | 2.7.0 |
Affected products
2- jszip/jszipdescription
Patches
122357494f424fix: Use a null prototype object for this.files
2 files changed · +7 −4
lib/index.js+4 −1 modified@@ -19,7 +19,10 @@ function JSZip() { // "folder/" : {...}, // "folder/data.txt" : {...} // } - this.files = {}; + // NOTE: we use a null prototype because we do not + // want filenames like "toString" coming from a zip file + // to overwrite methods and attributes in a normal Object. + this.files = Object.create(null); this.comment = null;
lib/object.js+3 −3 modified@@ -179,16 +179,16 @@ var out = { */ forEach: function(cb) { var filename, relativePath, file; + /* jshint ignore:start */ + // ignore warning about unwanted properties because this.files is a null prototype object for (filename in this.files) { - if (!this.files.hasOwnProperty(filename)) { - continue; - } file = this.files[filename]; relativePath = filename.slice(this.root.length, filename.length); if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn... } } + /* jshint ignore:end */ }, /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-jg8v-48h5-wgxgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23413ghsaADVISORY
- github.com/Stuk/jszip/blob/master/lib/object.js%23L88ghsax_refsource_MISCWEB
- github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36ghsax_refsource_MISCWEB
- github.com/Stuk/jszip/pull/766ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1251498ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-JSZIP-1251497ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.