decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.
History

Sun, 12 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
Title Symlink Creation Allows Sensitive File Disclosure in decompress NPM Package

Fri, 10 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Kevva
Kevva decompress
Vendors & Products Kevva
Kevva decompress

Thu, 09 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-07-09T00:00:00.000Z

Updated: 2026-07-10T17:27:46.481Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39246

cve-icon Vulnrichment

Updated: 2026-07-10T17:10:18.349Z

cve-icon NVD

No data.

cve-icon Redhat

No data.