Skip to main content

decompress EUVDEUVD-2026-34785

| CVE-2026-10732 MEDIUM
Path Traversal: '\\..\\filename' (CWE-29)
2026-06-05 snyk GHSA-h39j-r5qq-r9mm
5.6
CVSS 4.0 · Vendor: snyk
Share

Severity by source

Vendor (snyk) PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (snyk).

CVSS VectorVendor: snyk

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 05, 2026 - 07:22 vuln.today
Analysis Generated
Jun 05, 2026 - 07:22 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
6.4 (MEDIUM) 5.6 (MEDIUM)

DescriptionCVE.org

All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. Note: This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for CVE-2020-12265.

AnalysisAI

Arbitrary file write in the npm decompress package (all versions) exploits a second-generation Zip Slip bypass that circumvents protections introduced in the CVE-2020-12265 fix. By crafting a ZIP archive where a symlink entry and a same-named regular file share an identical path, an attacker leverages microtask scheduling order to write file contents through the unresolved symlink to arbitrary locations outside the extraction output directory, creating a realistic path to remote code execution. Publicly available exploit code exists per the E:P temporal modifier and a published PoC Gist, elevating real-world concern especially for applications processing untrusted archives in automated pipelines.

Technical ContextAI

The decompress npm package (CPE: cpe:2.3:a:n/a:decompress:*:*:*:*:*:*:*:*) provides archive extraction for Node.js. CWE-29 (Path Traversal using '../../filename') describes the root cause class: the extractor fails to confine extracted content to the intended output directory. The specific mechanism is a microtask ordering flaw in the async extraction pipeline - when a ZIP contains a symlink entry and a same-path regular file, the readlink check for the second entry executes before the symlink from the first entry is resolved, bypassing the preventWritingThroughSymlink guard added to address CVE-2020-12265. A secondary code-level flaw exposed in GitHub PR #112 is an indexOf prefix confusion bug: the original guard checked realParentPath.indexOf(realOutputPath) !== 0, which incorrectly passes for sibling paths such as 'dist-evil' when the output path is 'dist' (indexOf returns 0 on any shared string prefix). The fix in PR #112 replaces this with a startsWith(outputPath + path.sep) comparison, which correctly rejects paths that merely share a string prefix with the output directory.

RemediationAI

Monitor GitHub PR #112 (https://github.com/kevva/decompress/pull/112) and the decompress npm registry page for a patched tagged release; upgrade to that version immediately upon publication. The fix replaces flawed indexOf-based containment checks with stricter startsWith(outputPath + path.sep) comparisons, closing both the prefix confusion and the symlink ordering bypass. Do not rely on the preventWritingThroughSymlink configuration option from the CVE-2020-12265 fix - this CVE explicitly circumvents it. Until a patched release is available, consider migrating to a maintained alternative such as adm-zip or unzipper that has independently verified Zip Slip defenses. As a compensating control, validate all archive entry paths before extraction, reject archives containing symlink entries, or run the extraction process inside a container or chroot environment with write access restricted to the intended output directory only - note that process isolation adds deployment complexity and does not fix the underlying library flaw. Restricting the Node.js process to least-privilege filesystem permissions limits the blast radius if exploitation occurs.

Vendor StatusVendor

Share

EUVD-2026-34785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy