PT-2026-56053 · Npm · Decompress+1
Published
2026-07-06
·
Updated
2026-07-07
·
CVE-2026-53486
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
@xhmikosr/decompress versions prior to 10.2.1
@xhmikosr/decompress versions prior to 11.1.3
decompress versions prior to 4.3.0
Description
When extracting archives to a directory, a crafted archive can read or write files outside that directory. This issue affects all handled formats, including tar, tar.gz, tar.bz2, and zip. The flaw occurs because link (hardlink) or symlink entries are created without verifying their targets, allowing a hardlink to expose any file the process can read and a symlink to redirect subsequent writes outside the output directory. Additionally, the path containment check used a string prefix comparison, which allows entries to escape into sibling directories that share the same prefix as the output directory. Furthermore, file modes were applied without removing setuid, setgid, or sticky bits, which can lead to the creation of privileged files if the extraction process runs as root.
Recommendations
Update @xhmikosr/decompress to version 10.2.1 or later.
Update @xhmikosr/decompress to version 11.1.3 or later.
Migrate from decompress to @xhmikosr/decompress version 11.1.3 or later.
Extract only trusted archives.
Run the extraction process as a non-root user to prevent the creation of privileged files.
After extraction, reject any symlink or hardlink that points outside the target directory and any file with unexpected mode bits.
Fix
Path traversal
Link Following
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Xhmikosr/Decompress
Decompress