PT-2026-56053 · Npm · Decompress+1

Published

2026-07-06

·

Updated

2026-07-07

·

CVE-2026-53486

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions @xhmikosr/decompress versions prior to 10.2.1 @xhmikosr/decompress versions prior to 11.1.3 decompress versions prior to 4.3.0
Description When extracting archives to a directory, a crafted archive can read or write files outside that directory. This issue affects all handled formats, including tar, tar.gz, tar.bz2, and zip. The flaw occurs because link (hardlink) or symlink entries are created without verifying their targets, allowing a hardlink to expose any file the process can read and a symlink to redirect subsequent writes outside the output directory. Additionally, the path containment check used a string prefix comparison, which allows entries to escape into sibling directories that share the same prefix as the output directory. Furthermore, file modes were applied without removing setuid, setgid, or sticky bits, which can lead to the creation of privileged files if the extraction process runs as root.
Recommendations Update @xhmikosr/decompress to version 10.2.1 or later. Update @xhmikosr/decompress to version 11.1.3 or later. Migrate from decompress to @xhmikosr/decompress version 11.1.3 or later. Extract only trusted archives. Run the extraction process as a non-root user to prevent the creation of privileged files. After extraction, reject any symlink or hardlink that points outside the target directory and any file with unexpected mode bits.

Fix

Path traversal

Link Following

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53486
GHSA-MP2F-45PM-3CG9

Affected Products

@Xhmikosr/Decompress
Decompress