decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.

Project Subscriptions

Vendors Products
Decompress Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 15 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Title decompress: decompress: arbitrary symlink creation during archive extraction leads to information disclosure
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-61
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

threat_severity

Important


Tue, 14 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Title Symlink Creation Allows Sensitive File Disclosure in decompress NPM Package

Sun, 12 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
Title Symlink Creation Allows Sensitive File Disclosure in decompress NPM Package

Fri, 10 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Kevva
Kevva decompress
Vendors & Products Kevva
Kevva decompress

Thu, 09 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-10T17:27:46.481Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39246

cve-icon Vulnrichment

Updated: 2026-07-10T17:10:18.349Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-09T00:00:00Z

Links: CVE-2026-39246 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T15:15:04Z

Weaknesses