CVE-2022-48285: 
JavaScript vulnerability analysis and mitigation

JSZip before version 3.8.0 contains a directory traversal vulnerability in its loadAsync function that allows attackers to exploit the system via a crafted ZIP archive (NVD, CVE Mitre). The vulnerability was discovered and disclosed on January 29, 2023, affecting all versions of JSZip prior to 3.8.0.

The vulnerability exists in the loadAsync function of JSZip, which failed to properly sanitize file paths when processing ZIP archives. This could allow directory traversal attacks through specially crafted ZIP files. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High), with the attack vector being Network (N), attack complexity Low (L), requiring no privileges (N) or user interaction (N), and affecting confidentiality, integrity, and availability all at Low (L) levels (NetApp Security).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows attackers to potentially write files outside the intended extraction directory through directory traversal sequences in the ZIP archive (NetApp Security).

The vulnerability has been fixed in JSZip version 3.8.0. The fix includes sanitizing filenames when files are loaded with loadAsync to prevent zip slip attacks. The original filename is now available on each zip entry as unsafeOriginalName for reference. Users should upgrade to JSZip version 3.8.0 or later to address this vulnerability (GitHub Commit).