Back to overview

CVE-2026-53486

CRITICAL
9.1
CVSS 3.1
Description
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.

Metadata

CVE ID
CVE-2026-53486
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-09 17:05 UTC
Published
2026-07-14 20:07 UTC
Last updated
2026-07-15 13:26 UTC
Primary CWE
CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product
XhmikosR / decompress
Sources
cve.org  ·  NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
XhmikosR decompress < 10.2.1, >= 11.0.0, < 11.1.3
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59 cna CWE-59: Improper Link Resolution Before File Access ('Link Following')
CWE-732 cna CWE-732: Incorrect Permission Assignment for Critical Resource
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.1 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References (7)
Back to overview