CVE-2026-56876 in extract-zip
Summary
by MITRE • 06/26/2026
extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability in extract-zip stems from insufficient validation of symbolic link targets during zip archive extraction processes, creating a path traversal risk that can be exploited by malicious actors. This flaw resides in the fundamental handling of symbolic links within the decompression logic, where the system fails to verify whether symlink targets remain within the intended extraction boundaries. The vulnerability manifests when processing zip archives containing symbolic links with relative paths that reference files outside the designated extraction directory, effectively bypassing access controls and security boundaries.
This technical weakness represents a direct violation of secure coding practices and can be classified under CWE-355 as inadequate input validation for path traversal scenarios. The vulnerability enables attackers to craft malicious zip archives containing symbolic links with carefully crafted relative paths such as '../../../../etc/passwd', which when processed by extract-zip, will create symbolic links pointing outside the intended extraction directory. The impact extends beyond simple file access, as the compromised system may allow arbitrary read or write operations to files that should remain protected from unauthorized access.
The operational consequences of this vulnerability are significant across multiple attack vectors within the software supply chain and system security domains. An attacker exploiting this weakness could potentially read sensitive system files including password databases, configuration files, or other critical resources that should be isolated from extraction processes. Additionally, write operations become possible when symbolic links point to writable locations outside the extraction directory, enabling attackers to modify system files, inject malicious code into critical components, or compromise the integrity of the target system.
The vulnerability aligns with several ATT&CK techniques including T1059 for command and scripting interpreter usage and T1566 for credential access through malicious file delivery mechanisms. Security professionals should implement immediate mitigations including validating all symbolic link targets against the extraction directory boundaries, implementing strict path validation checks, and ensuring that extract-zip or similar tools are configured with restricted permissions during archive processing. Organizations must also consider updating to patched versions of extract-zip where available, implementing network segmentation controls, and monitoring for suspicious file extraction activities that may indicate exploitation attempts. The remediation process should include comprehensive testing of extraction workflows and validation of all symbolic link handling procedures to prevent similar vulnerabilities in other software components within the organization's attack surface.