Intel

AIKIDO-2026-123346

adm-zip is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-39244 Published Today

75

High Risk

This Affects:

JSadm-zip
0.5.10 - 0.5.18
Fixed in 0.6.0
Are you affected? Scan for Free

TL;DR

The adm-zip extraction path allocates an output buffer using the uncompressed size declared in the ZIP entry header without validating it against the actual compressed data available. A crafted archive carrying a small compressed payload with an inflated declared size causes Buffer.alloc to materialize an arbitrarily large buffer during extraction, exhausting process memory and crashing the Node.js process. The fix bounds the output allocation to the actual compressed bytes available rather than the attacker-controlled declared size.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application extracts untrusted ZIP archives.

Background info

adm-zip is vulnerable to Denial of Service (DoS) in versions 0.5.10 - 0.5.18.

How to fix this

Upgrade the adm-zip library to the patch version.