Intel

AIKIDO-2026-57045

fs-extra is vulnerable to Improper Link Resolution Before File Access

Improper Link Resolution Before File Access Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

25

Low Risk

This Affects:

JSfs-extra
8.0.0 - 11.3.5
Fixed in 11.3.6
Are you affected? Scan for Free

TL;DR

The copy and move methods use checkParentPaths and checkParentPathsSync in lib/util/stat.js to detect when the destination is inside the source directory and abort so copy does not recurse into the tree it is creating. The check walks up the destination's ancestors but returns early when an intermediate ancestor does not yet exist, so a deeper existing ancestor that is a symlink pointing into the source tree is never inspected. An attacker who controls such a symlinked destination ancestor bypasses the self-subdirectory protection, causing copy to create the missing path under the symlink target and recurse into the source subtree until resource exhaustion or ENAMETOOLONG. The fix keeps walking up to an existing ancestor on ENOENT instead of returning early.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you copy or move into destinations whose ancestor paths can be untrusted symlinks.

Background info

fs-extra is vulnerable to Improper Link Resolution Before File Access in versions 8.0.0 - 11.3.5.

How to fix this

Upgrade the fs-extra library to the patch version.