SCA: security update for adm-zip (GHSA-xcpc-8h2w-3j85)

high Tenable Cloud Security Plugin ID 444852

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated
uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates
memory based on the declared uncompressed size from the ZIP central directory header without validating it
against the actual compressed data size or imposing any upper bound. The size value is read directly from
the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP
file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33
million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected
early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(),
extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP
files via adm-zip is vulnerable to immediate process crash. (CVE-2026-39244)

Solution

Update the adm-zip library and its related packages to version 0.6.0 or later.

See Also

https://github.com/advisories/GHSA-xcpc-8h2w-3j85

Plugin Details

Severity: High

ID: 444852

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/18/2026

Updated: 7/18/2026

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.77

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-39244

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/10/2026

Vulnerability Publication Date: 7/10/2026

Reference Information

CVE: CVE-2026-39244