Withdrawn Advisory: cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations

CVE-2025-11569 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Withdrawn Advisory

This advisory has been withdrawn because it does not discuss a valid vulnerability. This link is maintained to preserve external references.

Original Description

All versions of the package cross-zip are vulnerable to Directory Traversal via consecutive usage of zipSync() and unzipSync () functions that allow arguments such as __dirname. An attacker can access system files by selectively doing zip/unzip operations.

Basic information

Type: reviewed
Severity: low
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2025-10-10 06:30:55 UTC
Updated: 2025-10-20 17:49:02 UTC
GitHub reviewed: 2025-10-10 23:49:44 UTC
NVD published: 2025-10-10
Withdrawn: 2025-10-20 17:49:01 UTC

EPSS Score

Score	Percentile
0.35%	56.73%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-gj5f-73vh-wpf7 ↗
CVE	CVE-2025-11569 ↗

CWEs

CWE id	Name
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

MarshallOfSound (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
npm	cross-zip	<= 4.0.1	—	—

References

cvelogic Threat Intelligence