/plushcap/analysis/snyk/snyk-severe-security-vulnerability-in-bowers-zip-archive-extraction

Severe security vulnerability in Bower’s zip archive extraction

What's this blog post about?

Bower, a popular web package manager, has been found to be vulnerable to archive extractions due to Zip Slip vulnerabilities in its decompress-zip dependency. Two security incidents have been associated with this issue, which were fixed in Bower 1.8.6 and 1.8.8. Despite the rise of other package managers like Webpack, yarn, and npm registry, Bower is still heavily relied upon with nearly two million downloads per month. A security researcher reported an arbitrary file write implemented through improper validation of symlinks resulting from the way Bower handles tar archive extraction. The issue was fixed in Bower 1.8.8 by ignoring any symlinks in packages to be installed.

Company
Snyk

Date published
Jan. 31, 2019

Author(s)
Liran Tal

Word count
995

Language
English

Hacker News points
2


By Matt Makai. 2021-2024.