CVE-2023-39139
📋 TL;DR
CVE-2023-39139 is a path traversal vulnerability in Archive v3.3.7 that allows attackers to write arbitrary files outside the intended extraction directory by exploiting specially crafted zip files. This affects any application using the vulnerable Archive library for zip file processing. Attackers can potentially overwrite critical system files or deploy malicious payloads.
💻 Affected Systems
- Archive library (npm package)
📦 What is this software?
Archive by Archive Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, complete system compromise, or data destruction by overwriting critical system files like /etc/passwd, .ssh/authorized_keys, or web server configurations.
Likely Case
File overwrite leading to denial of service, privilege escalation, or deployment of backdoors in web applications using the library.
If Mitigated
Limited impact with proper file permission restrictions, sandboxed extraction environments, and input validation preventing malicious zip uploads.
🎯 Exploit Status
Public proof-of-concept exists showing zip file creation with path traversal sequences. Exploitation requires only the ability to upload or provide a malicious zip file to the vulnerable application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Archive v3.3.8 or later
Vendor Advisory: https://github.com/brendan-duncan/archive/issues/265
Restart Required: No
Instructions:
1. Update Archive package: npm update archive
2. Verify version is 3.3.8 or higher: npm list archive
3. Restart any applications using the library to load the updated version.
🔧 Temporary Workarounds
Input validation and sanitization
allValidate zip file contents before extraction, reject files with path traversal sequences (../, ..\) in filenames
Implement file name validation in application code before calling archive.extract()
Sandboxed extraction directory
linuxExtract zip files to isolated, temporary directories with restricted permissions
mkdir -p /tmp/zip_extract_$(date +%s) && chmod 700 /tmp/zip_extract_*
🧯 If You Can't Patch
- Disable zip file processing functionality entirely if not essential
- Implement strict file upload restrictions: maximum file size limits, file type validation, and user authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check package.json or run: npm list archive | grep archive@3.3.7Check Version:
npm list archive | grep archiveVerify Fix Applied:
Confirm Archive version is 3.3.8 or higher: npm list archive | grep -E 'archive@(3\.3\.[8-9]|[4-9]\.[0-9]+\.[0-9]+)'📡 Detection & Monitoring
Log Indicators:
- Failed file write attempts outside expected directories
- Multiple zip extraction errors
- Unexpected file creation in system directories
Network Indicators:
- Large number of zip file uploads to vulnerable endpoints
- Unusual file upload patterns
SIEM Query:
source="application_logs" AND ("archive.extract" OR "zip extraction") AND ("permission denied" OR "ENOENT" OR "../")🔗 References
- https://blog.ostorlab.co/zip-packages-exploitation.html
- https://github.com/brendan-duncan/archive/issues/265
- https://ostorlab.co/vulndb/advisory/OVE-2023-5
- https://blog.ostorlab.co/zip-packages-exploitation.html
- https://github.com/brendan-duncan/archive/issues/265
- https://ostorlab.co/vulndb/advisory/OVE-2023-5
