CVE-2026-53486 in decompress정보

요약

\~에 의해 MITRE • 2026. 07. 15.

The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

책임이 있는

GitHub M

예약하다

2026. 06. 09.

모더레이션

수락

항목

VDB-379164

EPSS

0.00588

출처

Might our Artificial Intelligence support you?

Check our Alexa App!