13 matches found
CVE-2026-53486
The CVE affects the Node.js decompress package used for archive extraction. Before versions 10.2.1 and 11.1.3, crafted archives could read or write files outside the target directory due to: hardlink and symlink entries being created without proper target checks; path containment validated by a s...
ROOT-APP-NPM-CVE-2026-53486 CVE-2026-53486 in @rootio/xhmikosr__decompress - Patched by Root
Root has patched CVE-2026-53486 in the @rootio/xhmikosrdecompress package for Root:npm. Multiple fixed versions available...
Symlink Attack
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Symlink Attack in the symlink handling process. An attacker can create arbitrary symbolic links outside the intended extraction directory by crafting an archive with...
Directory Traversal
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Directory Traversal via improper validation in the safeMakeDir function and extraction path validation process. An attacker can write arbitrary files outside the intended...
Directory Traversal
Overview org.webjars.npm:decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Directory Traversal and link following during archive extraction, where symlink and hardlink entries are created without checking their targets and the...
CVE-2026-10732
CVE-2026-10732 affects the decompress family (e.g., org.webjars.npm:decompress, decompress) with Zip Slip. All versions are vulnerable when extracting a ZIP containing two entries of the same path: the first a symlink to an arbitrary target and the second a regular file. due to microtask processi...
EUVD-2020-1238
Malware in sbrugna...
CVE-2020-12265
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal...
GHSA-QGFR-5HQP-VRW9 Path Traversal in decompress
Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../. Recommendation Upgrade to version 4.2.1 or later...
decompress package path traversal vulnerability
decompress package is a decompression package. A path traversal vulnerability exists in decompress package versions prior to 4.2.1 Node.js. This vulnerability can be exploited to write arbitrary files with the help of the '... /' string to write arbitrary files...
Directory traversal
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal...
CVE-2020-12265
The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal...
PT-2020-13083
Name of the Vulnerable Software and Affected Versions decompress versions prior to 4.2.1 Description The issue allows for Arbitrary File Write via ../ in an archive member when a symlink is used, due to Directory Traversal. This occurs because the package fails to prevent extraction of files with...