AIKIDO-2026-395368
@jsonjoy.com/fs-snapshot is vulnerable to Path Traversal
59
Medium Risk
This Affects:
@jsonjoy.com/fs-snapshotTL;DR
The package restores filesystem snapshots by recreating folder entries under a caller-specified root directory. During restore, folder entry names were concatenated directly into target paths without rejecting ., .., or path separators. A crafted snapshot could use traversal-style entry names such as ../escaped.txt to write files outside the intended restore directory. The fix validates each entry name before recursion and rejects unsafe names across sync, async, JSON, and binary restore paths.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application restores snapshots from untrusted or attacker-influenced sources.
Background info
@jsonjoy.com/fs-snapshot is vulnerable to Path Traversal in versions 4.2.0 - 4.57.6.
How to fix this
Upgrade the @jsonjoy.com/fs-snapshot library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant