{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@xhmikosr/decompress/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@xhmikosr/decompress","decompress"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","path-traversal","privilege-escalation","npm","supply-chain"],"_cs_type":"advisory","_cs_vendors":["XhmikosR"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-53486, affects the \u003ccode\u003e@xhmikosr/decompress\u003c/code\u003e npm package (versions prior to 10.2.1 and between 11.0.0 and 11.1.3) and the unmaintained \u003ccode\u003edecompress\u003c/code\u003e package (all versions up to 4.2.1). This flaw allows an attacker to craft a malicious archive (tar, tar.gz, tar.bz2, zip, or others via plugins) that, when extracted, can read or write files outside the intended target directory. The vulnerability stems from insufficient path containment checks (using a prefix comparison) and improper handling of hardlinks, symlinks, and file modes (failing to remove setuid/setgid bits). This means that extracting an untrusted archive can lead to arbitrary file access, information exposure, and if extraction occurs as a privileged user (e.g., root in CI/CD, containers, or install scripts), potential privilege escalation through the creation of setuid/setgid binaries. The vulnerability is network-reachable as archives are commonly downloaded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCrafted Archive Creation\u003c/strong\u003e: An attacker creates a malicious archive file (e.g., \u003ccode\u003e.tar\u003c/code\u003e, \u003ccode\u003e.zip\u003c/code\u003e) containing specially crafted entries that leverage path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e), hardlinks targeting sensitive files, symlinks pointing outside the target directory, or files with setuid/setgid bits.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery\u003c/strong\u003e: The malicious archive is delivered to a victim system. This could occur via various methods, such as embedding it in a software supply chain update, a malicious email attachment, or a download from a compromised website.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitiation of Extraction\u003c/strong\u003e: An application or script using the vulnerable \u003ccode\u003edecompress\u003c/code\u003e or \u003ccode\u003e@xhmikosr/decompress\u003c/code\u003e library attempts to extract the delivered archive to a specified output directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePath Traversal/File Write\u003c/strong\u003e: Due to the flawed path containment check, the library incorrectly resolves paths for entries like \u003ccode\u003eoutput/../sibling-dir/malicious_file\u003c/code\u003e, allowing the attacker to write files to arbitrary locations outside the intended extraction directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHardlink/Symlink Abuse\u003c/strong\u003e: The library creates hardlink entries pointing to sensitive files (e.g., \u003ccode\u003e/etc/shadow\u003c/code\u003e) or symlink entries that redirect subsequent writes or reads to arbitrary locations on the filesystem, exposing or modifying sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: If the extraction process runs with elevated privileges (e.g., as root), the attacker-crafted archive creates a file with setuid/setgid bits preserved, leading to a privileged executable that the attacker can then invoke for system-wide compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker achieves arbitrary file write/read, information disclosure (e.g., sensitive configuration files, credentials), or privilege escalation on the affected system, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for severe consequences, including arbitrary file writes, arbitrary file reads, and privilege escalation. If an attacker can deliver a specially crafted archive, they can overwrite critical system files, modify configuration, extract sensitive data like credentials, or create setuid/setgid executables. This is particularly concerning in environments where archive extraction is performed with elevated privileges, such as CI/CD pipelines, container build processes, or automated software installation scripts, leading to full system compromise. Any application that processes untrusted archives using the affected libraries is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-53486 immediately\u003c/strong\u003e: Upgrade \u003ccode\u003e@xhmikosr/decompress\u003c/code\u003e to version 10.2.1 or 11.1.3 or later.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMigrate from \u003ccode\u003edecompress\u003c/code\u003e\u003c/strong\u003e: For applications using the unmaintained \u003ccode\u003edecompress\u003c/code\u003e package, migrate to \u003ccode\u003e@xhmikosr/decompress\u003c/code\u003e 11.1.3 or later, as \u003ccode\u003edecompress\u003c/code\u003e will not receive a fix for CVE-2026-53486.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement least privilege\u003c/strong\u003e: Ensure archive extraction processes are run with the lowest possible privileges to mitigate the impact of CVE-2026-53486, specifically preventing the creation of setuid/setgid files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eValidate archive contents\u003c/strong\u003e: Implement post-extraction validation to check for and reject any symlinks or hardlinks pointing outside the target directory or any files with unexpected mode bits, as a temporary workaround for CVE-2026-53486 if immediate patching is not possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T20:31:50Z","date_published":"2026-07-06T20:31:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-decompress-archive-extraction-vulnerability/","summary":"A critical vulnerability (CVE-2026-53486) in the `@xhmikosr/decompress` and unmaintained `decompress` npm packages allows attackers to craft malicious archives that, upon extraction, can write or read files outside the target directory, expose arbitrary file contents, or create setuid/setgid files leading to arbitrary file system modification, information disclosure, and potential privilege escalation.","title":"Decompress Archive Extraction Vulnerability Allows Path Traversal and Privilege Escalation (CVE-2026-53486)","url":"https://feed.craftedsignal.io/briefs/2026-07-decompress-archive-extraction-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - @Xhmikosr/Decompress","version":"https://jsonfeed.org/version/1.1"}