fs-extra is vulnerable to Improper Link Resolution Before File Access
25
Low Risk
The copy and move methods use checkParentPaths and checkParentPathsSync in lib/util/stat.js to detect when the destination is inside the source directory and abort so copy does not recurse into the tree it is creating. The check walks up the destination's ancestors but returns early when an intermediate ancestor does not yet exist, so a deeper existing ancestor that is a symlink pointing into the source tree is never inspected. An attacker who controls such a symlinked destination ancestor bypasses the self-subdirectory protection, causing copy to create the missing path under the symlink target and recurse into the source subtree until resource exhaustion or ENAMETOOLONG. The fix keeps walking up to an existing ancestor on ENOENT instead of returning early.
You are affected if you are using a version that falls within the vulnerable range and you copy or move into destinations whose ancestor paths can be untrusted symlinks.
fs-extra is vulnerable to Improper Link Resolution Before File Access in versions 8.0.0 - 11.3.5.
Upgrade the fs-extra library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant