CVE-2026-10732
Arbitrary File Write via Zip Slip in Decompress Package
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kevva | decompress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-29 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10732 is an Arbitrary File Write vulnerability in the npm package "decompress" affecting all versions. It occurs during the extraction of a specially crafted ZIP archive containing two entries with the same path: the first is a symlink pointing to an arbitrary target, and the second is a regular file. Due to the order in which the package processes these entries, the file content is written through the symlink to a location outside the intended output directory.
This vulnerability bypasses existing path traversal protections, including the preventWritingThroughSymlink safeguard introduced to fix a previous vulnerability (CVE-2020-12265). An attacker can exploit this flaw by providing a malicious ZIP archive that causes files to be written to arbitrary locations on the host filesystem.
How can this vulnerability impact me? :
This vulnerability allows an attacker to write arbitrary files to the host filesystem outside the intended extraction directory. This can lead to overwriting critical files such as executables or configuration files.
The impact includes potential remote code execution if the attacker overwrites files that are executed or loaded by the system or application. For example, overwriting files like "/root/.ssh/authorized_keys" could allow unauthorized access.
Exploitation requires a specially crafted ZIP archive and some user interaction, but no privileges are needed, making it a significant risk for applications using the decompress package to handle ZIP files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves extracting specially crafted ZIP archives containing two entries with the same path: the first a symlink to an arbitrary target and the second a regular file. Detection involves identifying such ZIP files or monitoring extraction processes for suspicious symlink and file combinations that could lead to arbitrary file writes outside the intended directory.
Since the vulnerability exploits a race condition in symlink resolution during archive extraction, you can detect attempts by scanning for ZIP files with duplicate path entries where one is a symlink and the other a regular file.
Suggested commands to help detect suspicious ZIP archives or extraction behavior include:
- Use unzip or zipinfo to inspect ZIP archives for duplicate entries with the same path:
- zipinfo suspicious.zip | sort | uniq -d
- Check for symlinks inside ZIP archives (requires manual inspection or scripting to parse ZIP entries and their attributes).
- Monitor file extraction logs or use filesystem auditing tools (e.g., auditd on Linux) to detect writes outside expected directories during decompression.
- Use commands like `find /extraction/path -type l` to find symlinks created during extraction.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid extracting untrusted or suspicious ZIP archives, especially those that may contain symlinks.
- Review and restrict the use of the decompress package in your applications until a fixed version is released.
- Implement additional validation on ZIP archive contents before extraction, ensuring no duplicate paths with symlinks exist.
- Use filesystem permissions and sandboxing to limit the impact of any arbitrary file writes.
- Monitor extraction directories for unexpected file changes or symlinks.
Note that there is currently no fixed version of the decompress package available, so these mitigations are critical to reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to write arbitrary files to the host filesystem outside the intended extraction directory, potentially overwriting sensitive files such as executables or configuration files.
This arbitrary file write and potential remote code execution risk could lead to unauthorized access or modification of sensitive data, which may violate data protection requirements in standards like GDPR and HIPAA.
Specifically, if exploited, it could compromise confidentiality, integrity, and availability of data, thereby impacting compliance with regulations that mandate protection of personal and sensitive information.