decompress (Nodejs), Path Traversal via Arbitrary Symlink Creation, CVE-2026-39246 (High) -DC-Jul2026-901

Listen to this Post

How CVE-2026-39246 Works

CVE-2026-39246 is a vulnerability in the Node.js `decompress` package versions prior to 4.2.2. The package is used to extract archive files—such as .tar, .tar.gz, .tar.bz2, and .zip—and is widely integrated into build tools, dependency managers, and file processing pipelines. The flaw resides in the logic that handles symbolic link (symlink) entries during extraction.
When `decompress` processes an archive, it parses each entry and determines its type. For entries of type 'symlink', the code extracts the target path from the archive’s `x.linkname` field and passes it directly to Node.js `fs.symlink()` without any validation. This occurs at `index.js` line 121. The critical issue is that a separate safety check, `preventWritingThroughSymlink` at line 98, only applies to regular file entries—not to symlink creation itself. This leaves a gap where an attacker can embed a symlink in a malicious archive that points to an arbitrary location outside the intended extraction directory, such as /etc/passwd.
If an application using `decompress` later reads the extracted symlink, it will follow the link and disclose the contents of the targeted sensitive file. Because the package handles multiple archive formats and symlinks are common in many legitimate archives, the validation bypass is subtle and can easily go unnoticed during code review. The vulnerability is related to the “Zip Slip” class of attacks and is distinct from but similar to earlier issues like CVE-2020-12265, which involved directory traversal via `../` sequences. The advisory `GHSA-mp2f-45pm-3cg9` also tracks this flaw.

DailyCVE Form

Platform: Node.js ecosystem
Version: < 4.2.2
Vulnerability: Arbitrary symlink creation
Severity: High
date: 2026-07-09

Prediction: 2026-07-16

What Undercode Say

Analytics from the `@xhmikosr/decompress` package show that a critical advisory triggered failures in automated npm audit workflows. Projects like `@swc/cli` had to be bumped to version `0.8.1` to resolve the vulnerable dependency chain. The vulnerable version `10.0.1` of `@xhmikosr/decompress` was resolved through `@xhmikosr/bin-wrapper` and @xhmikosr/downloader; the patched version is 11.1.3. The following commands and code snippets illustrate the issue and its detection:

Check for vulnerable decompress versions in your project
npm list decompress
npm list @xhmikosr/decompress
Identify projects depending on the vulnerable chain
pnpm dlx audit-ci --critical

The vulnerable code path in `index.js` (simplified):

// index.js line 121 - vulnerable symlink creation
if (type === 'symlink') {
// x.linkname taken directly from archive, no validation
fs.symlink(x.linkname, destinationPath, callback);
}
// line 98 - this check only applies to file entries
function preventWritingThroughSymlink(file, destination) {
// ... validation logic for files only ...
}

Exploit

An attacker crafts a malicious archive containing a symlink entry. For example, a `.tar` file with a symlink named `config` that points to /etc/passwd. When a vulnerable application extracts this archive into a web-accessible directory and later serves the `config` file, the server follows the symlink and discloses the system’s password file. A proof-of-concept archive can be created using standard command-line tools:

Create a malicious symlink in a tar archive
ln -s /etc/passwd malicious_link
tar -cf exploit.tar malicious_link
Alternatively, create a zip archive with a symlink (may require zip --symlinks)
zip --symlinks exploit.zip malicious_link

When `decompress` extracts this archive, the symlink is created pointing to `/etc/passwd` without any validation. Any subsequent read operation on the extracted file will expose the target’s contents.

Protection

The primary protection is to upgrade to `decompress` version 4.2.2 or later, where the symlink creation logic includes proper validation. For package managers, update your package.json:

{
"dependencies": {
"decompress": "^4.2.2"
}
}

For transitive dependencies, use `npm audit fix` or `pnpm audit` to resolve the chain. The patched version ensures that symlink targets are resolved against the extraction root and rejected if they point outside it. As a workaround, applications can implement their own validation by checking `fs.realpath()` on the symlink target before extraction, or by extracting archives in a sandboxed environment with restricted file system access.

Impact

Successful exploitation allows an attacker to read arbitrary files on the server, leading to information disclosure of sensitive data such as configuration files, credentials, or system files. In environments where extracted files are later processed or made available via web servers, this can result in full system compromise if critical files are exposed. The vulnerability has a CVSS score of 8.8 (High) , reflecting the high impact on confidentiality. While there is no public evidence of active exploitation at the time of writing, the widespread use of `decompress` in build systems and npm packages makes this a critical issue for the Node.js ecosystem.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top