Skip to content

Withdrawn Advisory: cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations

Low severity GitHub Reviewed Published Oct 10, 2025 to the GitHub Advisory Database • Updated Oct 20, 2025
Withdrawn This advisory was withdrawn on Oct 20, 2025

Package

npm cross-zip (npm)

Affected versions

<= 4.0.1

Patched versions

None

Description

Withdrawn Advisory

This advisory has been withdrawn because it does not discuss a valid vulnerability. This link is maintained to preserve external references.

Original Description

All versions of the package cross-zip are vulnerable to Directory Traversal via consecutive usage of zipSync() and unzipSync () functions that allow arguments such as __dirname. An attacker can access system files by selectively doing zip/unzip operations.

References

Published by the National Vulnerability Database Oct 10, 2025
Published to the GitHub Advisory Database Oct 10, 2025
Reviewed Oct 10, 2025
Withdrawn Oct 20, 2025
Last updated Oct 20, 2025

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(57th percentile)

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2025-11569

GHSA ID

GHSA-gj5f-73vh-wpf7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.