Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote attacker-supplied archive (AV:N) needs no privileges (PR:N) but requires the app to extract it (UI:R); arbitrary read and write give C:H/I:H, no availability impact, scope unchanged.
Primary rating from Vendor (cisa-cg).
CVSS VectorVendor: cisa-cg
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.
AnalysisAI
Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application use extract-zip to unpack an attacker-supplied zip archive containing a symbolic-link entry with a relative traversal target (the description explicitly names a symlink path like '../../../../etc/passwd'); no authentication or special privileges are needed (PR:N), but passive interaction is required (UI:P) in that a victim system must actually ingest and extract the malicious archive. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N) indicates a network-reachable, low-complexity flaw requiring no privileges but passive operator interaction (the victim application must process the malicious archive), with high confidentiality and integrity impact and no availability impact - consistent with the 8.6 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a zip archive containing a symlink entry whose target is a relative traversal path (e.g. '../../../../etc/passwd' or a path into the application's config/credential directory) and delivers it to a service that uses extract-zip to unpack uploads. … |
| Remediation | No vendor-released patched version was identified in the available data, so an exact fixed release cannot be cited; consult the GitHub Security Advisory GHSA-x7jf-2287-qcpf (https://github.com/ziad626/extract-zip-security-research/security/advisories/GHSA-x7jf-2287-qcpf) and the CISA CSAF advisory (https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-177-01.json) for an upgrade target and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using extract-zip library across production and staging environments; classify by exposure level based on whether they process untrusted archives from external users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39812
GHSA-jmr9-qjv8-65gv