I'm using pako in version 1.0.11 via jszip and wanted to know, whether this is affected by CVE-2018-25032 or not. I'm unsure whether by design JavaScript is not vulnerable to such an attack but wanted to make sure.

JS does not allows out of bounds writes.

Ok, thanks for clarification.