Affected versions of `superagent` do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a [ZIP bomb](https://en.wikipedia.org/wiki/Zip_bomb) attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.

This may result in unrestrained CPU/Memory/Disk consumption, causing a denial of service condition.

## Recommendation

Update to version 3.7.0 or later.

Affected Packages

npm superagent

Affected versions: 0 (fixed in 3.7.0)

Related CVEs

CVE-2017-16129

Key Information

GHSA ID

GHSA-8225-6cvr-8pqp

Published

August 9, 2018 8:13 PM

Last Modified

September 8, 2023 11:55 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

superagent

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.