CVE-2026-10732
Awaiting Analysis Awaiting Analysis - Queue
Arbitrary File Write via Zip Slip in Decompress Package

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Snyk

Description
All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. **Note:** This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-10732
EUVD
EUVD-2026-34785
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kevva decompress *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-29 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10732 is an Arbitrary File Write vulnerability in the npm package "decompress" affecting all versions. It occurs during the extraction of a specially crafted ZIP archive containing two entries with the same path: the first is a symlink pointing to an arbitrary target, and the second is a regular file. Due to the order in which the package processes these entries, the file content is written through the symlink to a location outside the intended output directory.

This vulnerability bypasses existing path traversal protections, including the preventWritingThroughSymlink safeguard introduced to fix a previous vulnerability (CVE-2020-12265). An attacker can exploit this flaw by providing a malicious ZIP archive that causes files to be written to arbitrary locations on the host filesystem.

Impact Analysis

This vulnerability allows an attacker to write arbitrary files to the host filesystem outside the intended extraction directory. This can lead to overwriting critical files such as executables or configuration files.

The impact includes potential remote code execution if the attacker overwrites files that are executed or loaded by the system or application. For example, overwriting files like "/root/.ssh/authorized_keys" could allow unauthorized access.

Exploitation requires a specially crafted ZIP archive and some user interaction, but no privileges are needed, making it a significant risk for applications using the decompress package to handle ZIP files.

Detection Guidance

This vulnerability involves extracting specially crafted ZIP archives containing two entries with the same path: the first a symlink to an arbitrary target and the second a regular file. Detection involves identifying such ZIP files or monitoring extraction processes for suspicious symlink and file combinations that could lead to arbitrary file writes outside the intended directory.

Since the vulnerability exploits a race condition in symlink resolution during archive extraction, you can detect attempts by scanning for ZIP files with duplicate path entries where one is a symlink and the other a regular file.

Suggested commands to help detect suspicious ZIP archives or extraction behavior include:

  • Use unzip or zipinfo to inspect ZIP archives for duplicate entries with the same path:
  • zipinfo suspicious.zip | sort | uniq -d
  • Check for symlinks inside ZIP archives (requires manual inspection or scripting to parse ZIP entries and their attributes).
  • Monitor file extraction logs or use filesystem auditing tools (e.g., auditd on Linux) to detect writes outside expected directories during decompression.
  • Use commands like `find /extraction/path -type l` to find symlinks created during extraction.
Mitigation Strategies

Immediate mitigation steps include:

  • Avoid extracting untrusted or suspicious ZIP archives, especially those that may contain symlinks.
  • Review and restrict the use of the decompress package in your applications until a fixed version is released.
  • Implement additional validation on ZIP archive contents before extraction, ensuring no duplicate paths with symlinks exist.
  • Use filesystem permissions and sandboxing to limit the impact of any arbitrary file writes.
  • Monitor extraction directories for unexpected file changes or symlinks.

Note that there is currently no fixed version of the decompress package available, so these mitigations are critical to reduce risk.

Compliance Impact

The vulnerability allows attackers to write arbitrary files to the host filesystem outside the intended extraction directory, potentially overwriting sensitive files such as executables or configuration files.

This arbitrary file write and potential remote code execution risk could lead to unauthorized access or modification of sensitive data, which may violate data protection requirements in standards like GDPR and HIPAA.

Specifically, if exploited, it could compromise confidentiality, integrity, and availability of data, thereby impacting compliance with regulations that mandate protection of personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart