npm package
jszip
pkg:npm/jszip
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-48285 | — | < 3.8.0 | 3.8.0 | Jan 29, 2023 | loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. | ||
| CVE-2021-23413 | — | >= 3.0.0, < 3.7.0 | 3.7.0 | Jul 25, 2021 | This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance. |
- CVE-2022-48285Jan 29, 2023affected < 3.8.0fixed 3.8.0
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
- CVE-2021-23413Jul 25, 2021affected >= 3.0.0, < 3.7.0fixed 3.7.0
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.