Description
All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive.

**Note:**

This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).
Published: 2026-06-05
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The decompression library is vulnerable to an arbitrary file write through Zip Slip when a ZIP archive contains two entries with the same path: a symlink pointing to an arbitrary location followed by a regular file. During extraction the microtask queue processes the symlink resolution before the second file is written, causing the file’s content to be written via the symlink to a target location outside the intended output directory. This flaw, classified as CWE‑29, allows an attacker to create or overwrite arbitrary files on the host filesystem, potentially leading to remote code execution if the written file is executable or otherwise trusted by the application. The impact is confined to the execution environment of the application; if the application runs with sufficient privileges, the attacker can overwrite critical system files.

Affected Systems

All releases of the JavaScript package "decompress" are affected. No specific version range is excluded, so any dependency that pulls in this library remains vulnerable until an updated version is used.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that public exploitation is not yet confirmed. The likely attack vector is through the reception of a specially crafted ZIP archive—such as a file upload, an HTTP response, or a network payload—processed by the application’s extraction routine. The main prerequisite for exploitation is the ability to supply such a crafted archive to the vulnerable component. Once written, modifications to key files can lead to a full compromise if the environment is not properly isolated.

Generated by OpenCVE AI on June 5, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the decompress library to a version that incorporates the upstream fix (e.g., by applying the changes verified in PR112).
  • Restrict the sources of ZIP archives to trusted inputs, and validate the archive contents before extraction to ensure no unexpected symlink or duplicate entries are present.
  • If an immediate upgrade is not feasible, mitigate by disabling symlink handling in the extraction routine or sanitizing filenames to strip paths that would resolve outside the destination directory; additionally, run the extraction process with the least privilege necessary.

Generated by OpenCVE AI on June 5, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Symlink‑Based Zip Slip Leading to Arbitrary File Write in decompress

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. **Note:** This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).
Weaknesses CWE-29
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L/E:P'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-06-05T05:00:02.896Z

Reserved: 2026-06-03T11:55:48.369Z

Link: CVE-2026-10732

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T07:16:29.447

Modified: 2026-06-05T07:16:29.447

Link: CVE-2026-10732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:30:31Z

Weaknesses