Description
All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive.

**Note:**

This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).
Published: 2026-06-05
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The decompression library is vulnerable to an arbitrary file write through Zip Slip when a ZIP archive contains two entries with the same path: a symlink pointing to an arbitrary location followed by a regular file. During extraction the microtask queue processes the symlink resolution before the second file is written, causing the file’s content to be written via the symlink to a target location outside the intended output directory. This flaw, classified as CWE‑29 and CWE‑22, allows an attacker to create or overwrite arbitrary files on the host filesystem, potentially leading to remote code execution if the written file is executable or otherwise trusted by the application. The impact is confined to the execution environment of the application; if the application runs with sufficient privileges, the attacker can overwrite critical system files.

Affected Systems

All releases of the JavaScript package "decompress" are affected. No specific version range is excluded, so any dependency that pulls in this library remains vulnerable until an updated version is used.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score is 0.00057, implying a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting that public exploitation is not yet confirmed. The likely attack vector is through the reception of a specially crafted ZIP archive—such as a file upload, an HTTP response, or a network payload—processed by the application’s extraction routine. The main prerequisite for exploitation is the ability to supply such a crafted archive to the vulnerable component. Once written, modifications to key files can lead to a full compromise if the environment is not properly isolated.

Generated by OpenCVE AI on June 10, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the decompress library to a version that incorporates the upstream fix (e.g., by applying the changes verified in PR112).
  • Restrict the sources of ZIP archives to trusted inputs, and validate the archive contents before extraction to ensure no unexpected symlink or duplicate entries are present.
  • If an immediate upgrade is not feasible, mitigate by disabling symlink handling in the extraction routine or sanitizing filenames to strip paths that would resolve outside the destination directory; additionally, run the extraction process with the least privilege necessary.

Generated by OpenCVE AI on June 10, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Symlink‑Based Zip Slip Leading to Arbitrary File Write in decompress decompress: Decompress: Arbitrary file write leading to remote code execution via crafted ZIP archive (Zip Slip)
Weaknesses CWE-22
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kevva
Kevva decompress
Vendors & Products Kevva
Kevva decompress

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Symlink‑Based Zip Slip Leading to Arbitrary File Write in decompress

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. **Note:** This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).
Weaknesses CWE-29
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L/E:P'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kevva Decompress
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-06-05T18:33:44.669Z

Reserved: 2026-06-03T11:55:48.369Z

Link: CVE-2026-10732

cve-icon Vulnrichment

Updated: 2026-06-05T18:33:41.456Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T07:16:29.447

Modified: 2026-06-05T14:59:51.620

Link: CVE-2026-10732

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-05T05:00:02Z

Links: CVE-2026-10732 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:45:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-29

    Path Traversal: '\..\filename'