Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by XhmikosR
CVE-2026-53486 (GCVE-0-2026-53486)
Vulnerability from nvd – Published: 2026-07-14 20:07 – Updated: 2026-07-14 20:07
VLAI
EPSS
VEX
Title
decompress: Archive extraction can create files and links outside the target directory
Summary
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.
Severity
9.1 (Critical)
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/XhmikosR/decompress/security/a… | x_refsource_CONFIRM |
| https://github.com/XhmikosR/decompress/commit/281… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/commit/60b… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/commit/9fc… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/commit/aca… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/releases/t… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| XhmikosR | decompress |
Affected:
< 10.2.1
Affected: >= 11.0.0, < 11.1.3 |
{
"containers": {
"cna": {
"affected": [
{
"product": "decompress",
"vendor": "XhmikosR",
"versions": [
{
"status": "affected",
"version": "\u003c 10.2.1"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T20:07:14.190Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd"
},
{
"name": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1"
},
{
"name": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3"
}
],
"source": {
"advisory": "GHSA-mp2f-45pm-3cg9",
"discovery": "UNKNOWN"
},
"title": "decompress: Archive extraction can create files and links outside the target directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53486",
"datePublished": "2026-07-14T20:07:14.190Z",
"dateReserved": "2026-06-09T17:05:25.058Z",
"dateUpdated": "2026-07-14T20:07:14.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53486 (GCVE-0-2026-53486)
Vulnerability from cvelistv5 – Published: 2026-07-14 20:07 – Updated: 2026-07-14 20:07
VLAI
EPSS
VEX
Title
decompress: Archive extraction can create files and links outside the target directory
Summary
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.
Severity
9.1 (Critical)
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/XhmikosR/decompress/security/a… | x_refsource_CONFIRM |
| https://github.com/XhmikosR/decompress/commit/281… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/commit/60b… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/commit/9fc… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/commit/aca… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/releases/t… | x_refsource_MISC |
| https://github.com/XhmikosR/decompress/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| XhmikosR | decompress |
Affected:
< 10.2.1
Affected: >= 11.0.0, < 11.1.3 |
{
"containers": {
"cna": {
"affected": [
{
"product": "decompress",
"vendor": "XhmikosR",
"versions": [
{
"status": "affected",
"version": "\u003c 10.2.1"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T20:07:14.190Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89"
},
{
"name": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd"
},
{
"name": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1"
},
{
"name": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3"
}
],
"source": {
"advisory": "GHSA-mp2f-45pm-3cg9",
"discovery": "UNKNOWN"
},
"title": "decompress: Archive extraction can create files and links outside the target directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53486",
"datePublished": "2026-07-14T20:07:14.190Z",
"dateReserved": "2026-06-09T17:05:25.058Z",
"dateUpdated": "2026-07-14T20:07:14.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}