CVE-2026-39246 in decompress
Summary
by MITRE • 07/10/2026
decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability exists in the decompress library version 4.2.2 and earlier, where the archive extraction process fails to properly validate symbolic link entries during decompression. The flaw occurs specifically when processing symlink entries with type === 'symlink' as the code directly passes the x.linkname field from the archive to fs.symlink() without any validation checks. This represents a classic path traversal vulnerability that can be exploited through improper input sanitization and lacks proper access control measures. The implementation fails to consider the security implications of allowing arbitrary symbolic link creation during archive extraction, which violates fundamental security principles of least privilege and input validation.
The technical execution of this vulnerability relies on an attacker crafting a malicious archive containing carefully constructed symlink entries that point to sensitive files outside the intended extraction directory. The preventWritingThroughSymlink check implemented on line 98 only addresses file entries and does not extend to symbolic link creation, creating a critical gap in the security controls. This oversight allows attackers to bypass normal access restrictions and create symbolic links pointing to system-critical files such as /etc/passwd or other sensitive locations. The vulnerability operates at the filesystem level, leveraging the underlying operating system's symbolic link creation capabilities without proper authorization checks.
The operational impact of this vulnerability is significant as it enables information disclosure attacks where attackers can gain unauthorized access to sensitive system files and configuration data. When applications extract archives containing malicious symlinks, they may inadvertently create symbolic links that point to protected resources, allowing subsequent application reads to access restricted content through the symbolic link mechanism. This could lead to exposure of authentication credentials, system configuration details, or other confidential information that should remain protected. The vulnerability affects any application using the decompress library for archive processing and can be exploited in environments where untrusted archives are processed.
Mitigation strategies should focus on implementing proper input validation for all archive entries including symbolic links before allowing filesystem operations to proceed. The fix requires modifying the code to validate symlink targets against a whitelist of acceptable paths or implement comprehensive path sanitization that prevents creation of symlinks pointing outside the intended extraction directory. Organizations should also consider implementing additional security controls such as running archive extraction processes with reduced privileges, implementing proper access controls on extraction directories, and conducting regular security assessments of third-party libraries. This vulnerability aligns with CWE-22 Path Traversal and CWE-352 Cross-Site Request Forgery categories, representing a serious security risk that requires immediate attention and remediation. The ATT&CK framework categorizes this as privilege escalation through file system manipulation, where attackers leverage weak input validation to gain access to restricted resources and escalate their privileges within the affected system environment.