@zip.js/zip.js is vulnerable to Improper Verification of Cryptographic Signature
80
High Risk
@zip.js/zip.js contains several cryptographic correctness defects in its ZIP decryption path. AES-encrypted entry authentication tags are not always verified, allowing a tampered ciphertext to be decrypted and returned without the integrity check failing. ZipCrypto password verification uses a variable-time comparison, leaking timing information that can aid password recovery. When the Web Crypto API is unavailable the library falls back to a non-cryptographic pseudo-random generator for key material, weakening encryption for newly created archives. The fix enforces AES authentication on every decryption, replaces the ZipCrypto comparison with a constant-time implementation, and removes the insecure PRNG fallback.
You are affected if you are using a version that falls within the vulnerable range and your application decrypts AES- or ZipCrypto-encrypted ZIP entries, or creates encrypted archives in runtimes where crypto.getRandomValues is unavailable.
@zip.js/zip.js is vulnerable to Improper Verification of Cryptographic Signature in versions 2.0.0 - 2.8.26.
Upgrade the @zip.js/zip.js library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant