<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Decompress - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/decompress/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 20:31:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/decompress/feed.xml" rel="self" type="application/rss+xml"/><item><title>Decompress Archive Extraction Vulnerability Allows Path Traversal and Privilege Escalation (CVE-2026-53486)</title><link>https://feed.craftedsignal.io/briefs/2026-07-decompress-archive-extraction-vulnerability/</link><pubDate>Mon, 06 Jul 2026 20:31:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-decompress-archive-extraction-vulnerability/</guid><description>A critical vulnerability (CVE-2026-53486) in the `@xhmikosr/decompress` and unmaintained `decompress` npm packages allows attackers to craft malicious archives that, upon extraction, can write or read files outside the target directory, expose arbitrary file contents, or create setuid/setgid files leading to arbitrary file system modification, information disclosure, and potential privilege escalation.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-53486, affects the <code>@xhmikosr/decompress</code> npm package (versions prior to 10.2.1 and between 11.0.0 and 11.1.3) and the unmaintained <code>decompress</code> package (all versions up to 4.2.1). This flaw allows an attacker to craft a malicious archive (tar, tar.gz, tar.bz2, zip, or others via plugins) that, when extracted, can read or write files outside the intended target directory. The vulnerability stems from insufficient path containment checks (using a prefix comparison) and improper handling of hardlinks, symlinks, and file modes (failing to remove setuid/setgid bits). This means that extracting an untrusted archive can lead to arbitrary file access, information exposure, and if extraction occurs as a privileged user (e.g., root in CI/CD, containers, or install scripts), potential privilege escalation through the creation of setuid/setgid binaries. The vulnerability is network-reachable as archives are commonly downloaded.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Crafted Archive Creation</strong>: An attacker creates a malicious archive file (e.g., <code>.tar</code>, <code>.zip</code>) containing specially crafted entries that leverage path traversal sequences (e.g., <code>../</code>), hardlinks targeting sensitive files, symlinks pointing outside the target directory, or files with setuid/setgid bits.</li>
<li><strong>Delivery</strong>: The malicious archive is delivered to a victim system. This could occur via various methods, such as embedding it in a software supply chain update, a malicious email attachment, or a download from a compromised website.</li>
<li><strong>Initiation of Extraction</strong>: An application or script using the vulnerable <code>decompress</code> or <code>@xhmikosr/decompress</code> library attempts to extract the delivered archive to a specified output directory.</li>
<li><strong>Path Traversal/File Write</strong>: Due to the flawed path containment check, the library incorrectly resolves paths for entries like <code>output/../sibling-dir/malicious_file</code>, allowing the attacker to write files to arbitrary locations outside the intended extraction directory.</li>
<li><strong>Hardlink/Symlink Abuse</strong>: The library creates hardlink entries pointing to sensitive files (e.g., <code>/etc/shadow</code>) or symlink entries that redirect subsequent writes or reads to arbitrary locations on the filesystem, exposing or modifying sensitive data.</li>
<li><strong>Privilege Escalation</strong>: If the extraction process runs with elevated privileges (e.g., as root), the attacker-crafted archive creates a file with setuid/setgid bits preserved, leading to a privileged executable that the attacker can then invoke for system-wide compromise.</li>
<li><strong>Impact</strong>: The attacker achieves arbitrary file write/read, information disclosure (e.g., sensitive configuration files, credentials), or privilege escalation on the affected system, enabling further malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability allows for severe consequences, including arbitrary file writes, arbitrary file reads, and privilege escalation. If an attacker can deliver a specially crafted archive, they can overwrite critical system files, modify configuration, extract sensitive data like credentials, or create setuid/setgid executables. This is particularly concerning in environments where archive extraction is performed with elevated privileges, such as CI/CD pipelines, container build processes, or automated software installation scripts, leading to full system compromise. Any application that processes untrusted archives using the affected libraries is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-53486 immediately</strong>: Upgrade <code>@xhmikosr/decompress</code> to version 10.2.1 or 11.1.3 or later.</li>
<li><strong>Migrate from <code>decompress</code></strong>: For applications using the unmaintained <code>decompress</code> package, migrate to <code>@xhmikosr/decompress</code> 11.1.3 or later, as <code>decompress</code> will not receive a fix for CVE-2026-53486.</li>
<li><strong>Implement least privilege</strong>: Ensure archive extraction processes are run with the lowest possible privileges to mitigate the impact of CVE-2026-53486, specifically preventing the creation of setuid/setgid files.</li>
<li><strong>Validate archive contents</strong>: Implement post-extraction validation to check for and reject any symlinks or hardlinks pointing outside the target directory or any files with unexpected mode bits, as a temporary workaround for CVE-2026-53486 if immediate patching is not possible.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>vulnerability</category><category>path-traversal</category><category>privilege-escalation</category><category>npm</category><category>supply-chain</category></item></channel></rss>