CVE-2025-11569 — Withdrawn Advisory: cross-zip is vulnerable to Directory Traversal through selec

Description

### Withdrawn Advisory This advisory has been withdrawn because it does not discuss a valid vulnerability. This link is maintained to preserve external references. ### Original Description All versions of the package cross-zip are vulnerable to Directory Traversal via consecutive usage of zipSync() and unzipSync () functions that allow arguments such as __dirname. An attacker can access system files by selectively doing zip/unzip operations.

How to fix CVE-2025-11569

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

npm/cross-zip—no fix listed

Is CVE-2025-11569 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2025-11569.

Affected packages (1)

from 0, <= 4.0.1

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11569
PATCHgithub.com/feross/cross-zip
WEBgist.github.com/mcoimbra/9ab12a6187fac41d2fa7ba594ed535ac
WEBgithub.com/feross/cross-zip/blob/eba335474e6142468bd8904f6456208db906d40d/index.js%23L94