Listen to this Post
How CVE-2026-39245 Works
The `decompress` npm package (maintained by Kevva) before version 4.2.2 is vulnerable to a directory traversal attack that allows arbitrary file write. The flaw exists in two critical functions responsible for path containment verification during archive extraction.
The Vulnerable Check
The `safeMakeDir` function (index.js, line 29) and the extraction path validation routine (index.js, line 106) use `String.indexOf()` to verify that a resolved path stays within the intended output directory:
realDestinationDir.indexOf(realOutputPath) !== 0
This check determines if `realOutputPath` is a prefix of realDestinationDir. If the result is 0, the path is considered safe.
The Flaw: Missing Path Separator Boundary
The critical mistake is the absence of a path separator enforcement. `String.indexOf()` performs a simple substring match without verifying that the match ends at a directory boundary. This allows an attacker to craft paths that are prefixes of legitimate directories but actually point to entirely different locations.
Practical Example
Consider an extraction target set to /tmp/app. An attacker can craft an archive containing a file that resolves to /tmp/app_config. The vulnerable check evaluates:
"/tmp/app_config".indexOf("/tmp/app") !== 0 // Returns 0 → PASSES
The check passes because `/tmp/app` is a substring of /tmp/app_config. However, `/tmp/app_config` is outside the intended `/tmp/app` directory. This allows the attacker to write files to adjacent directories that share a common prefix with the extraction target.
Bypass of Previous Fix
This vulnerability is a direct bypass of the patch applied for CVE-2020-12265, which attempted to fix path traversal issues in the same package but failed to enforce a proper path separator boundary.
Combined with Unvalidated Symlink Creation
The same package also contains unvalidated symlink creation (CVE-2026-39246), where `x.linkname` from the archive is passed directly to `fs.symlink()` without validation. An attacker can combine both vulnerabilities to write arbitrary files to sensitive system locations, leading to full compromise of the target system.
The Correct Fix
The proper validation requires appending a path separator to the output path before performing the prefix check:
realParentPath.indexOf(realOutputPath + path.sep) !== 0
This ensures that the match only succeeds when the path aligns with an actual directory boundary, preventing the prefix-based bypass.
DailyCVE Form:
Platform: ……. npm / Node.js
Version: …….. < 4.2.2
Vulnerability :…… Directory Traversal / Arbitrary File Write
Severity: ……. MEDIUM (CVSS 6.2)
date: ………. July 9, 2026
Prediction: …… July 20, 2026
What Undercode Say:
Analytics & Technical Breakdown
The vulnerability affects all applications using `decompress` versions below 4.2.2 for extracting untrusted archives. The attack vector is local (AV:L), requires low attack complexity (AC:L), needs no privileges (PR:N), and does not require user interaction (UI:N). The scope is unchanged (S:U), with no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N).
CVSS Vector: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
Affected Code Locations:
– `safeMakeDir` function — index.js line 29
– Extraction path validation — index.js line 106
Related CVEs:
- CVE-2020-12265 — Original path traversal (bypassed by this vulnerability)
- CVE-2026-39243 — Arbitrary hardlink creation
- CVE-2026-39246 — Unvalidated symlink creation
Package Information:
- Maintainer: Kevva
- Repository: https://github.com/kevva/decompress
- npm Registry: https://www.npmjs.com/package/decompress
Bash Commands to Check Vulnerable Version:
Check installed version
npm list decompress
Check package.json for dependency
cat package.json | grep decompress
Scan for vulnerable versions in node_modules
find node_modules -name "package.json" -path "/decompress/" -exec grep -H '"version"' {} \;
Code Snippet – Vulnerable Check (index.js lines 29 & 106):
// VULNERABLE - No path separator boundary enforcement
if (realDestinationDir.indexOf(realOutputPath) !== 0) {
throw new Error('Path is outside extraction directory');
}
Code Snippet – Corrected Check:
// FIXED - Enforces path separator boundary
if (realDestinationDir.indexOf(realOutputPath + path.sep) !== 0) {
throw new Error('Path is outside extraction directory');
}
How Exploit:
An attacker can exploit this vulnerability by crafting a malicious archive with the following characteristics:
1. Prepare a Malicious Archive – Create a tarball or zip file containing a file with a path that is a prefix of the extraction target directory. For example, if the target is /tmp/app, include a file that extracts to /tmp/app_config/sensitive.file.
2. Combine with Symlink Abuse – Include a symlink entry pointing to a sensitive system file (e.g., /etc/passwd). The unvalidated symlink creation (CVE-2026-39246) allows the symlink to be created during extraction.
3. Trigger Extraction – The application using `decompress` processes the archive. The vulnerable path check passes because `/tmp/app` is a substring of /tmp/app_config.
4. Write Arbitrary Files – The file is written to /tmp/app_config/sensitive.file, which is outside the intended extraction directory. Combined with the symlink, the attacker can overwrite critical system files or configuration files.
5. Example Exploit Payload:
Create a malicious archive mkdir -p malicious_extract/../app_config echo "malicious content" > malicious_extract/../app_config/.bashrc tar -czf exploit.tar.gz -C malicious_extract . When extracted with decompress < 4.2.2 targeting /tmp/app The file writes to /tmp/app_config/.bashrc instead of /tmp/app/
Exploit Requirements:
- Attacker must be able to supply a crafted archive to the application
- Application must use `decompress` version < 4.2.2
- Extraction target directory must have a parent directory with a name that is a prefix of another existing directory
Protection:
- Immediate Upgrade – Update `decompress` to version 4.2.2 or later:
npm install [email protected]
- Patch the Code Manually – If upgrading is not immediately possible, patch the vulnerable check by appending
path.sep:// In index.js, lines 29 and 106 // Change from: realDestinationDir.indexOf(realOutputPath) !== 0 // To: realDestinationDir.indexOf(realOutputPath + path.sep) !== 0
- Input Validation – Validate all archive contents before extraction. Reject any entries containing `..` or absolute paths:
const path = require('path'); function isSafePath(entryPath, baseDir) { const resolved = path.resolve(baseDir, entryPath); return resolved.startsWith(baseDir + path.sep); } - Use a Different Extraction Library – Consider using libraries with robust path validation, such as `tar` with built-in security checks or `adm-zip` with proper sanitization.
- Run with Least Privilege – Execute extraction processes with minimal filesystem permissions to limit the impact of arbitrary file writes.
- Monitor and Audit – Regularly audit `node_modules` for vulnerable packages using tools like
npm audit:npm audit fix
Impact:
- Integrity Compromise (High) – Attackers can overwrite critical system files, application configuration files, or user data. This can lead to privilege escalation, backdoor installation, or denial of service through configuration corruption.
- Bypass of Previous Security Fix – This vulnerability nullifies the fix for CVE-2020-12265, rendering prior mitigations ineffective.
- Supply Chain Risk – Any application that uses `decompress` for processing user-supplied archives is vulnerable. This includes build tools, CI/CD pipelines, file upload handlers, and data processing services.
- Combined Attack Surface – When chained with CVE-2026-39243 (hardlink creation) and CVE-2026-39246 (symlink creation), the impact escalates from arbitrary file write to full system compromise, including:
- Reading sensitive files via hardlinks (CVE-2026-39243)
- Creating symlinks to overwrite critical files (CVE-2026-39246)
- Writing arbitrary content to any accessible directory (CVE-2026-39245)
- Affected Ecosystem – The `decompress` package has millions of weekly downloads on npm and is used as a dependency in hundreds of other packages. Any application indirectly depending on it is also at risk.
- No User Interaction Required – The attack can be automated and does not require user interaction, making it suitable for mass exploitation in automated environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

