CVE-2025-11569: Withdrawn Advisory: cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations

October 10, 2025 (updated October 20, 2025)

Withdrawn Advisory

This advisory has been withdrawn because it does not discuss a valid vulnerability. This link is maintained to preserve external references.

Original Description

All versions of the package cross-zip are vulnerable to Directory Traversal via consecutive usage of zipSync() and unzipSync () functions that allow arguments such as __dirname. An attacker can access system files by selectively doing zip/unzip operations.

References

gist.github.com/mcoimbra/9ab12a6187fac41d2fa7ba594ed535ac
github.com/advisories/GHSA-gj5f-73vh-wpf7
github.com/feross/cross-zip
github.com/feross/cross-zip/blob/eba335474e6142468bd8904f6456208db906d40d/index.js%23L94
nvd.nist.gov/vuln/detail/CVE-2025-11569
security.snyk.io/vuln/SNYK-JS-CROSSZIP-6105396

Code Behaviors & Features

Detect and mitigate CVE-2025-11569 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →