CVE-2026-53486

Source
https://cve.org/CVERecord?id=CVE-2026-53486
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53486.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53486
Aliases
Downstream
Related
Published
2026-07-14T20:07:14.190Z
Modified
2026-07-16T03:48:42.765800293Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
decompress: Archive extraction can create files and links outside the target directory
Details

The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22",
        "CWE-59",
        "CWE-732"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53486.json"
}
References

Affected packages

Git / github.com/xhmikosr/decompress

Affected ranges

Type
GIT
Repo
https://github.com/xhmikosr/decompress
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.2.1"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.1.3"
        }
    ]
}

Affected versions

v10.*
v10.0.0
v10.0.1
v10.1.0
v10.2.0
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.1.0
v11.1.1
v11.1.2
v3.*
v3.0.0
v4.*
v4.0.0
v4.1.0
v4.2.0
v4.2.1
v5.*
v5.0.0
v6.*
v6.0.0
v7.*
v7.0.0
v8.*
v8.0.0
v9.*
v9.0.0
v9.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53486.json"