Skip to content

security: update ZIPFoundation to 0.9.18#2666

Closed
Seungwan98 wants to merge 1 commit intoairbnb:masterfrom
Seungwan98:security/zipfoundation-clean
Closed

security: update ZIPFoundation to 0.9.18#2666
Seungwan98 wants to merge 1 commit intoairbnb:masterfrom
Seungwan98:security/zipfoundation-clean

Conversation

@Seungwan98
Copy link
Contributor

@Seungwan98 Seungwan98 commented Mar 9, 2026

Summary

Updates embedded ZIPFoundation from 0.9.16 to 0.9.18 to fix CVE-2023-39138 (path escape vulnerability).

Changes

  • Updated all ZIPFoundation source files from 0.9.16 to 0.9.18
  • Added new files:
    • Archive+Deprecated.swift
    • Date+ZIP.swift
    • FileManager+ZIPDeprecated.swift
  • Changed all public access modifiers to internal (following Lottie conventions)
  • Updated README.md version reference

Security

Fixes CVE-2023-39138: Path escape vulnerability in ZIPFoundation

References:

Related Issue

Resolves #2494

@Seungwan98
security: update ZIPFoundation to 0.9.18
344315f 
Updates embedded ZIPFoundation from 0.9.16 to 0.9.18 to fix CVE-2023-39138
(path escape vulnerability).

Changes:
- Updated all ZIPFoundation source files to 0.9.18
- Added new files: Archive+Deprecated.swift, Date+ZIP.swift,
  FileManager+ZIPDeprecated.swift
- Changed all public symbols to internal as per Lottie conventions

Security: Fixes CVE-2023-39138 (path escape vulnerability)
Resolves airbnb#2494
@Seungwan98 Seungwan98 closed this Mar 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please move to the latest version of ZIPFoundation to arrest a security vulnerability

1 participant

@Seungwan98