CVE-2026-10732 in decompress
Summary
by MITRE • 06/05/2026
All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive.
**Note:**
This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
The vulnerability in the decompress package represents a critical path traversal flaw that exploits the Zip Slip vulnerability pattern, specifically targeting the order of microtask processing during archive extraction. This vulnerability affects all versions of the package and demonstrates how seemingly robust security measures can be bypassed through careful manipulation of archive contents. The flaw occurs when processing ZIP archives containing two entries with identical paths where the first entry is a symbolic link pointing to an arbitrary target location outside the intended extraction directory, and the second entry is a regular file with the same path. The exploitation mechanism relies on the specific processing sequence where the system checks for readlink on the second file before resolving the symlink for the first file, creating a window where file content can be written through the symbolic link to locations outside the designated output directory.
This vulnerability directly maps to CWE-22 Path Traversal and aligns with ATT&CK technique T1059.007 Command and Scripting Interpreter: PowerShell, as it enables attackers to potentially execute arbitrary code through file system manipulation. The attack vector leverages the fundamental weakness in how the decompress package handles symbolic links during archive extraction, bypassing existing protections such as preventWritingThroughSymlink that were implemented to address similar issues like CVE-2020-12265. The bypass occurs because the fix for CVE-2020-12265 only addressed certain scenarios but failed to account for the specific microtask processing order that allows this particular attack pattern to succeed. The security implications extend beyond simple file system manipulation as the ability to write files outside the intended directory structure creates opportunities for privilege escalation and remote code execution.
The operational impact of this vulnerability is severe as it allows attackers to write arbitrary files to any location on the host filesystem where the application has write permissions. This capability can be exploited to overwrite critical system files, inject malicious code into applications, or establish persistent access mechanisms. The vulnerability particularly affects environments where decompress is used to process untrusted archive files, such as web applications handling user-uploaded content or automated systems processing external data. The bypass of existing protections demonstrates a fundamental flaw in the implementation approach and highlights the importance of comprehensive security testing that considers edge cases and processing order dependencies. Organizations using this package are at risk of complete system compromise if they process archives from untrusted sources without additional safeguards.
Mitigation strategies should include immediate package updates to versions that address this specific vulnerability, along with implementing additional layers of protection such as validating archive contents before extraction, using restricted extraction directories, and implementing comprehensive file path validation. Organizations should also consider implementing network-level controls to prevent processing of untrusted archives, particularly those that might contain symbolic links or unusual file path patterns. The fix should ensure that all symbolic links are resolved and validated before any file content is written, regardless of processing order, and that the preventWritingThroughSymlink protection is robust enough to handle all possible symbolic link scenarios. Additionally, monitoring and logging of archive extraction activities can help detect potential exploitation attempts and provide forensic evidence for incident response activities.