4 matches found
CVE-2020-12265
The CVE-2020-12265 entry concerns the Node.js decompress package before version 4.2.1. Root cause: Directory Traversal via ../ in an archive member when a symlink is used, allowing Arbitrary File Write. Affected software: decompress (Node.js) prior to 4.2.1. Impact statements in the connected doc...
CVE-2026-39246
The connected documents confirm a concrete vulnerability in the decompression tool: before v4.2.2, symlink entries (type === 'symlink') pass the archive’s x.linkname directly to fs.symlink() without validation. The existing preventWritingThroughSymlink check only applies to file entries, not syml...
CVE-2026-39245
CVE-2026-39245 affects the decompress package (before 4.2.2). The vulnerability arises from an improper path containment check during extraction: safeMakeDir (index.js:29) and extraction path validation (index.js:106) rely on realDestinationDir.indexOf(realOutputPath) !== 0. This boundary check f...
CVE-2026-39243
The CVE-2026-39243 entry concerns decompress before 4.2.2, where archive extraction can create arbitrary hardlinks. During processing of hardlink entries (type === 'link'), the x.linkname field is passed directly to fs.link() without validation, enabling an attacker to craft an archive whose hard...