Skip to content

deps: update dependency adm-zip to v0.6.0 [security]#2144

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-adm-zip-vulnerability
Jul 18, 2026
Merged

deps: update dependency adm-zip to v0.6.0 [security]#2144
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-adm-zip-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
adm-zip 0.5.180.6.0 age confidence

adm-zip: Crafted ZIP file triggers 4GB memory allocation

CVE-2026-39244 / GHSA-xcpc-8h2w-3j85

More information

Details

adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

cthackers/adm-zip (adm-zip)

v0.6.0

Compare Source

==================

Security

  • Fixed CVE-2026-39244: a crafted archive declaring a huge uncompressed size could force an unbounded Buffer.alloc (memory exhaustion / DoS) before any validation. Allocation is now bounded by the data actually present — STORED output is sized from the real bytes, DEFLATED output is grown by the inflater and capped at the declared size (#​568)
  • Hardened the internal entry-name lookup table against object injection: entry names come from untrusted archives, and a name such as __proto__ previously resolved to Object.prototype, crashing addFile and hiding the entry from getEntry/readFile. The table is now prototype-less

Bug fixes

  • Fixed a regression (0.5.15) that rejected valid archives using a data descriptor (general-purpose bit 3). The payload is now validated against the authoritative central-directory CRC instead of requiring/parsing the trailing descriptor (#​548, #​533, #​554)
  • Fixed extractAllTo/extractAllToAsync not restoring directory permissions with keepOriginalPermission; directory modes are applied after their contents are written, deepest path first, and no longer lock the extractor out of a restrictive directory (#​530)
  • Fixed infinite recursion in addLocalFolder when a folder contains a symlink pointing back to an ancestor (e.g. workspace node_modules); the walk now tracks resolved real paths and skips already-visited directories (#​541)
  • Fixed an uncaught exception (ERR_INVALID_ARG_TYPE) that crashed the process when writeFileToAsync could not open the target file (bad permissions, invalid filename, exhausted file descriptors); write failures are now reported through the callback and write errors are no longer silently swallowed (#​470, #​459, #​402)
  • Fixed directory entries reporting an empty name (e.g. a/b/c/ now returns c) (#​466)
  • Fixed extractEntryTo flattening subdirectories when maintainEntryPath is false; the structure below the extracted directory is now preserved instead of collapsing (and overwriting) files by basename (#​306)
  • Fixed a failed utimes aborting extraction; setting the modification time is now best-effort and never fails extraction of already-written content (#​379)
  • Fixed test() always returning false for any archive containing a file (it indexed the entries array with an entry object instead of reading the entry); it now correctly verifies each entry's CRC

Performance

  • Faster entry sorting when writing archives with many entries: names are decoded once instead of on every comparison (about 6× faster sort for large archives)

Added

  • Bundled TypeScript type definitions (types.d.ts), so @types/adm-zip is no longer required

Notes

  • Behavior change: extractEntryTo(dir, target, /* maintainEntryPath */ false) now preserves subdirectories beneath the extracted directory rather than flattening them
  • Behavior change: extraction no longer fails when the modification time cannot be set

Configuration

📅 Schedule: (in timezone Europe/Tallinn)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot enabled auto-merge (rebase) July 18, 2026 05:11
@renovate
renovate Bot merged commit e30fb86 into main Jul 18, 2026
6 checks passed
@renovate
renovate Bot deleted the renovate/npm-adm-zip-vulnerability branch July 18, 2026 05:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant