Versions of `resolve-path` before 1.4.0 are vulnerable to path traversal. `resolve-path` relative path resolving suffers from a lack of file path sanitization for windows based paths.

## Recommendation

Update to version 1.4.0 or later.

Affected Packages

npm resolve-path

Affected versions: 0 (fixed in 1.4.0)

Related CVEs

CVE-2018-3732

Key Information

GHSA ID

GHSA-62g9-6hw5-rwfp

Published

July 18, 2018 9:20 PM

Last Modified

March 1, 2023 1:46 AM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

resolve-path

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.