When using the Extract() method of unzip-stream, malicious zip files were able to write to paths they shouldn't be allowed to.
Extract()
Fixed in 0.3.2
Justin Taft from Google