superagent vulnerable to zip bomb attacks

RSS Feed MODERATE

GHSA-8225-6cvr-8pqp CVE-2017-16129

Description:

Affected versions of superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.

This may result in unrestrained CPU/Memory/Disk consumption, causing a denial of service condition.

Recommendation

Update to version 3.7.0 or later.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
npm	`superagent`	`< 3.7.0`	`3.7.0`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	August 09, 2018 almost 8 years ago
Updated:	April 04, 2026 2 months ago
CVSS Score:	5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS:	0.39% 60th percentile
Source:	Github
Classification:	GENERAL
UUID:	`MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTgyMjUtNmN2ci04cHFw`

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot