Affected versions of superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.

This may result in unrestrained CPU/Memory/Disk consumption, causing a denial of service condition.

Recommendation

Update to version 3.7.0 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2017-16129
• ladjs/superagent#1259
• https://en.wikipedia.org/wiki/Zip_bomb
• GHSA-8225-6cvr-8pqp
• https://www.npmjs.com/advisories/479