yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field.
This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/thejoshwolfe/yauzl/commit/c4695215b05c6adffda613b9051a2a8542…
disclosure@vulncheck.com
https://www.codeant.ai/security-research/yauzl-denial-of-service-zip-file-crash
disclosure@vulncheck.com
https://www.npmjs.com/package/yauzl
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/yauzl-denial-of-service-via-off-by-one-err…
disclosure@vulncheck.com