adm-zip is vulnerable to Denial of Service (DoS)
75
High Risk
The adm-zip extraction path allocates an output buffer using the uncompressed size declared in the ZIP entry header without validating it against the actual compressed data available. A crafted archive carrying a small compressed payload with an inflated declared size causes Buffer.alloc to materialize an arbitrarily large buffer during extraction, exhausting process memory and crashing the Node.js process. The fix bounds the output allocation to the actual compressed bytes available rather than the attacker-controlled declared size.
You are affected if you are using a version that falls within the vulnerable range and your application extracts untrusted ZIP archives.
adm-zip is vulnerable to Denial of Service (DoS) in versions 0.5.10 - 0.5.18.
Upgrade the adm-zip library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant