It was discovered that npm/fstream incorrectly handled certain crafted tarballs. An attacker could use this vulnerability to write aritrary files to the filesystem.
{ "availability": "No subscription required", "binaries": [ { "node-fstream": "1.0.10-1ubuntu0.18.04.1" } ] }