CVE-2021-23484 – This vulnerability allows attackers to write ar... (How to Fix)

Q: What is the severity of CVE-2021-23484?

CVE-2021-23484 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to write arbitrary files outside the intended extraction directory when extracting ZIP archives using zip-local. This affects any application using zip-local versions before 0.3.5 for archive extraction functionality.

📋 TL;DR

This vulnerability allows attackers to write arbitrary files outside the intended extraction directory when extracting ZIP archives using zip-local. This affects any application using zip-local versions before 0.3.5 for archive extraction functionality.

💻 Affected Systems

Products:

zip-local npm package

Versions: All versions before 0.3.5

Operating Systems: All operating systems where Node.js runs

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application using zip-local for ZIP extraction is vulnerable by default.

📦 What is this software?

Zip Local by Zip Local Project

View all CVEs affecting Zip Local →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file overwrite, potentially leading to remote code execution, privilege escalation, or data destruction.

🟠

Likely Case

Arbitrary file overwrite leading to data corruption, denial of service, or limited code execution depending on file locations accessible to the application.

🟢

If Mitigated

Limited impact if extraction occurs in isolated containers or sandboxes with restricted file system access.

🌐 Internet-Facing: HIGH - Any application accepting ZIP uploads from untrusted sources is vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal applications processing ZIP files from semi-trusted sources could still be vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a specially crafted ZIP file. Public proof-of-concept exists and the vulnerability pattern (Zip Slip) is well-known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.5 and later

Vendor Advisory: https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085

Restart Required: No

Instructions:

1. Update package.json to require zip-local version 0.3.5 or higher. 2. Run 'npm update zip-local' or 'npm install zip-local@latest'. 3. Test ZIP extraction functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize ZIP file entries before extraction to prevent path traversal

Implement custom extraction logic that validates each entry's path against the target directory

Sandbox extraction

linux

Extract ZIP files in isolated containers or sandboxes with restricted file system access

Use Docker containers with read-only host mounts or chroot jails for extraction

🧯 If You Can't Patch

Disable ZIP extraction functionality entirely if not essential
Implement strict file upload validation and only accept ZIP files from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check package.json for zip-local dependency version. If version is less than 0.3.5, the application is vulnerable.

Check Version:

npm list zip-local

Verify Fix Applied:

Verify zip-local version is 0.3.5 or higher in package.json and node_modules/zip-local/package.json

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes outside extraction directory
Failed file operations due to permission errors
ZIP extraction errors with path traversal patterns

Network Indicators:

Large or unusual ZIP file uploads to applications
Repeated upload attempts with similar ZIP files

SIEM Query:

source="application_logs" AND ("zip extraction" OR "unzip") AND ("permission denied" OR "EACCES" OR "path traversal")

📊 Metadata

CVE ID: CVE-2021-23484

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365 Broken Link,Third Party Advisory
https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477 Exploit,Patch,Third Party Advisory
https://github.com/Mostafa-Samir/zip-local/blob/master/main.js%23L365 Broken Link,Third Party Advisory
https://github.com/Mostafa-Samir/zip-local/commit/949446a95a660c0752b1db0c654f0fd619ae6085 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-ZIPLOCAL-2327477 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23484, you might also want to check these: