Search

Find a vulnerability

Search criteria

    2 vulnerabilities by XhmikosR

    CVE-2026-53486 (GCVE-0-2026-53486)

    Vulnerability from nvd – Published: 2026-07-14 20:07 – Updated: 2026-07-14 20:07
    VLAI
    Title
    decompress: Archive extraction can create files and links outside the target directory
    Summary
    The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    XhmikosR decompress Affected: < 10.2.1
    Affected: >= 11.0.0, < 11.1.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "decompress",
              "vendor": "XhmikosR",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 10.2.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.0.0, \u003c 11.1.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:07:14.190Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3"
            }
          ],
          "source": {
            "advisory": "GHSA-mp2f-45pm-3cg9",
            "discovery": "UNKNOWN"
          },
          "title": "decompress: Archive extraction can create files and links outside the target directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53486",
        "datePublished": "2026-07-14T20:07:14.190Z",
        "dateReserved": "2026-06-09T17:05:25.058Z",
        "dateUpdated": "2026-07-14T20:07:14.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53486 (GCVE-0-2026-53486)

    Vulnerability from cvelistv5 – Published: 2026-07-14 20:07 – Updated: 2026-07-14 20:07
    VLAI
    Title
    decompress: Archive extraction can create files and links outside the target directory
    Summary
    The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    XhmikosR decompress Affected: < 10.2.1
    Affected: >= 11.0.0, < 11.1.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "decompress",
              "vendor": "XhmikosR",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 10.2.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.0.0, \u003c 11.1.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:07:14.190Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1"
            },
            {
              "name": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3"
            }
          ],
          "source": {
            "advisory": "GHSA-mp2f-45pm-3cg9",
            "discovery": "UNKNOWN"
          },
          "title": "decompress: Archive extraction can create files and links outside the target directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53486",
        "datePublished": "2026-07-14T20:07:14.190Z",
        "dateReserved": "2026-06-09T17:05:25.058Z",
        "dateUpdated": "2026-07-14T20:07:14.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }