Decompress Archive Extraction Vulnerability Allows Path Traversal and Privilege Escalation (CVE-2026-53486)
A critical vulnerability (CVE-2026-53486) in the `@xhmikosr/decompress` and unmaintained `decompress` npm packages allows attackers to craft malicious archives that, upon extraction, can write or read files outside the target directory, expose arbitrary file contents, or create setuid/setgid files leading to arbitrary file system modification, information disclosure, and potential privilege escalation.
A critical vulnerability, CVE-2026-53486, affects the @xhmikosr/decompress npm package (versions prior to 10.2.1 and between 11.0.0 and 11.1.3) and the unmaintained decompress package (all versions up to 4.2.1). This flaw allows an attacker to craft a malicious archive (tar, tar.gz, tar.bz2, zip, or others via plugins) that, when extracted, can read or write files outside the intended target directory. The vulnerability stems from insufficient path containment checks (using a prefix comparison) and improper handling of hardlinks, symlinks, and file modes (failing to remove setuid/setgid bits). This means that extracting an untrusted archive can lead to arbitrary file access, information exposure, and if extraction occurs as a privileged user (e.g., root in CI/CD, containers, or install scripts), potential privilege escalation through the creation of setuid/setgid binaries. The vulnerability is network-reachable as archives are commonly downloaded.
Attack Chain
- Crafted Archive Creation: An attacker creates a malicious archive file (e.g.,
.tar,.zip) containing specially crafted entries that leverage path traversal sequences (e.g.,../), hardlinks targeting sensitive files, symlinks pointing outside the target directory, or files with setuid/setgid bits. - Delivery: The malicious archive is delivered to a victim system. This could occur via various methods, such as embedding it in a software supply chain update, a malicious email attachment, or a download from a compromised website.
- Initiation of Extraction: An application or script using the vulnerable
decompressor@xhmikosr/decompresslibrary attempts to extract the delivered archive to a specified output directory. - Path Traversal/File Write: Due to the flawed path containment check, the library incorrectly resolves paths for entries like
output/../sibling-dir/malicious_file, allowing the attacker to write files to arbitrary locations outside the intended extraction directory. - Hardlink/Symlink Abuse: The library creates hardlink entries pointing to sensitive files (e.g.,
/etc/shadow) or symlink entries that redirect subsequent writes or reads to arbitrary locations on the filesystem, exposing or modifying sensitive data. - Privilege Escalation: If the extraction process runs with elevated privileges (e.g., as root), the attacker-crafted archive creates a file with setuid/setgid bits preserved, leading to a privileged executable that the attacker can then invoke for system-wide compromise.
- Impact: The attacker achieves arbitrary file write/read, information disclosure (e.g., sensitive configuration files, credentials), or privilege escalation on the affected system, enabling further malicious activities.
Impact
The vulnerability allows for severe consequences, including arbitrary file writes, arbitrary file reads, and privilege escalation. If an attacker can deliver a specially crafted archive, they can overwrite critical system files, modify configuration, extract sensitive data like credentials, or create setuid/setgid executables. This is particularly concerning in environments where archive extraction is performed with elevated privileges, such as CI/CD pipelines, container build processes, or automated software installation scripts, leading to full system compromise. Any application that processes untrusted archives using the affected libraries is at risk.
Recommendation
- Patch CVE-2026-53486 immediately: Upgrade
@xhmikosr/decompressto version 10.2.1 or 11.1.3 or later. - Migrate from
decompress: For applications using the unmaintaineddecompresspackage, migrate to@xhmikosr/decompress11.1.3 or later, asdecompresswill not receive a fix for CVE-2026-53486. - Implement least privilege: Ensure archive extraction processes are run with the lowest possible privileges to mitigate the impact of CVE-2026-53486, specifically preventing the creation of setuid/setgid files.
- Validate archive contents: Implement post-extraction validation to check for and reject any symlinks or hardlinks pointing outside the target directory or any files with unexpected mode bits, as a temporary workaround for CVE-2026-53486 if immediate patching is not possible.