Lucene search
K
Decompress ProjectDecompress

4 matches found

CVE
CVE
added 2020/04/26 4:46 p.m.123 views

CVE-2020-12265

The CVE-2020-12265 entry concerns the Node.js decompress package before version 4.2.1. Root cause: Directory Traversal via ../ in an archive member when a symlink is used, allowing Arbitrary File Write. Affected software: decompress (Node.js) prior to 4.2.1. Impact statements in the connected doc...

9.8CVSS9.3AI score0.02147EPSS
CVE
CVE
added 5 days ago12 views

CVE-2026-39246

The connected documents confirm a concrete vulnerability in the decompression tool: before v4.2.2, symlink entries (type === 'symlink') pass the archive’s x.linkname directly to fs.symlink() without validation. The existing preventWritingThroughSymlink check only applies to file entries, not syml...

7.5CVSS6.1AI score0.00485EPSS
CVE
CVE
added 5 days ago7 views

CVE-2026-39245

CVE-2026-39245 affects the decompress package (before 4.2.2). The vulnerability arises from an improper path containment check during extraction: safeMakeDir (index.js:29) and extraction path validation (index.js:106) rely on realDestinationDir.indexOf(realOutputPath) !== 0. This boundary check f...

6.2CVSS6AI score0.00272EPSS
Web
CVE
CVE
added 5 days ago6 views

CVE-2026-39243

The CVE-2026-39243 entry concerns decompress before 4.2.2, where archive extraction can create arbitrary hardlinks. During processing of hardlink entries (type === 'link'), the x.linkname field is passed directly to fs.link() without validation, enabling an attacker to craft an archive whose hard...

5.5CVSS6.1AI score0.00196EPSS