CVE-2026-53486
Summary
by MITRE • 07/15/2026
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in the decompress package for Node.js represents a critical directory traversal flaw that enables attackers to manipulate file system operations beyond intended boundaries. This issue affects versions prior to 10.2.1 and 11.1.3, where the archive extraction process fails to properly validate file paths during decompression operations. The root cause lies in the implementation's failure to perform adequate path containment checks, relying instead on simplistic string prefix comparisons that can be easily bypassed through carefully crafted archive contents. The vulnerability specifically targets the handling of hardlink and symlink entries within archive files, where the system creates symbolic references without validating whether their target paths remain within the designated extraction directory. This flaw allows malicious actors to create file system links or write data to arbitrary locations on the target system, potentially compromising the integrity and security of the entire environment.
The technical implementation of this vulnerability stems from inadequate input validation and path containment mechanisms within the decompress library's archive processing logic. When encountering symbolic link entries in compressed archives, the system creates hardlinks and symlinks without first verifying that their target paths remain within the intended extraction boundaries. The string-based prefix comparison method used for containment validation proves insufficient as it does not account for directory traversal sequences or path manipulation techniques that can circumvent simple prefix checks. Additionally, the library fails to properly sanitize file modes during extraction, specifically neglecting to remove critical setuid, setgid, and sticky bits from extracted files. This omission creates potential privilege escalation opportunities where maliciously crafted archives could result in executables with elevated permissions being created on the target system. The combination of these flaws creates a comprehensive attack surface that allows for both unauthorized file access and system compromise.
The operational impact of this vulnerability extends far beyond simple directory traversal, as it provides attackers with multiple pathways to compromise system security and potentially gain unauthorized access to sensitive data. An attacker could exploit this vulnerability to read files from locations outside the intended extraction directory, potentially accessing system configuration files, user credentials, or other sensitive information stored in protected directories. The ability to create hardlinks and symlinks outside the target directory also enables attackers to manipulate file system structures, potentially causing denial of service conditions or creating persistent backdoor mechanisms. Furthermore, the failure to strip setuid, setgid, and sticky bits from extracted files creates opportunities for privilege escalation attacks where malicious executables could be created with elevated permissions. This vulnerability particularly affects systems that automatically extract archives from untrusted sources, such as web applications processing user-uploaded files or automated deployment systems handling external packages, making it a significant concern for organizations relying on decompression functionality.
Mitigation strategies for this vulnerability must address both the immediate security concerns and implement comprehensive protection mechanisms to prevent similar issues in the future. The most direct solution involves upgrading to @xhmikosr/decompress versions 10.2.1 and 11.1.3, which contain the necessary fixes for path containment validation and file mode sanitization. Organizations should also implement additional protective measures including restricting decompression operations to isolated execution environments, implementing strict file system access controls, and validating all archive contents before extraction through comprehensive input sanitization processes. The fix addresses the core issue by implementing proper path containment checks that validate target paths against the intended extraction directory using robust path resolution techniques rather than simple string prefix comparisons. Additionally, the updated versions ensure that file modes are properly sanitized to remove dangerous permission bits that could lead to privilege escalation. This vulnerability aligns with CWE-22 Directory Traversal and CWE-73 Relative Path Traversal categories, while also demonstrating characteristics of ATT&CK technique T1059 Command and Scripting Interpreter and T1486 Data Encrypted for Impact, as it enables unauthorized access and potential data manipulation through compromised archive extraction processes.