GHSA-ccqh-278p-xq6w: webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle
An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system.
References
- github.com/advisories/GHSA-ccqh-278p-xq6w
- github.com/j4k0xb/webcrack
- github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts
- github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999
- github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w
Detect and mitigate GHSA-ccqh-278p-xq6w with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →