CVE-2026-56876
Analyzed Analyzed - Analysis Complete

Path Traversal in extract-zip Library

Vulnerability report for CVE-2026-56876, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-06

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description

extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-06
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
max-mapper extract-zip to 2.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56876 is a vulnerability in the extract-zip library where it does not properly validate symlink targets when extracting zip archives.

When a malicious zip file contains a symlink with a relative path like '../../../../etc/passwd', extract-zip extracts the symlink without checking if it points outside the intended extraction directory.

This allows an attacker to create symlinks that reference arbitrary files on the system, potentially leading to unauthorized reading or writing of files.

Detection Guidance

This vulnerability involves the extract-zip library extracting symlinks from malicious zip files without validating their targets, allowing path traversal outside the extraction directory.

To detect exploitation attempts or presence of this vulnerability, you can monitor for extraction of zip files containing symlinks with relative paths that point outside expected directories.

  • Inspect zip files before extraction for symlinks with suspicious relative paths like '../../../../etc/passwd'.
  • Use commands like 'unzip -l <file.zip>' to list contents and identify symlinks.
  • After extraction, use 'find <extraction_directory> -type l -ls' to list symlinks and verify their targets.
  • Monitor logs or file system changes for unexpected modifications to sensitive files or directories.
Impact Analysis

This vulnerability can have serious impacts depending on how extract-zip is used.

  • An attacker can upload a malicious zip file containing crafted symlinks that point to sensitive system files.
  • When the zip is extracted, these symlinks can allow reading of sensitive files like /etc/passwd or /etc/shadow.
  • It can also allow writing to critical system locations if the server processes or writes to the extracted symlinks.
  • This could lead to unauthorized data access, data modification, privilege escalation, or even remote code execution.
  • Systems affected include server applications accepting user-uploaded zip files, CI/CD pipelines, or any backend using extract-zip to process untrusted archives.
Compliance Impact

This vulnerability allows attackers to read or write arbitrary files on systems using the extract-zip library without proper symlink validation. Such unauthorized access or modification of sensitive data can lead to breaches of confidentiality and integrity.

Because of the potential exposure or alteration of sensitive information, organizations affected by this vulnerability may face challenges in maintaining compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over personal and sensitive data.

Exploitation of this vulnerability could result in unauthorized data disclosure or modification, which are violations of these regulations' requirements for data security and privacy.

Mitigation Strategies

There is no official patch or remediation available for this vulnerability as the maintainer has been unresponsive for over four years.

Immediate mitigation steps include avoiding the use of the extract-zip library for processing untrusted zip archives.

  • Use alternative libraries such as adm-zip or yauzl that provide proper validation of symlink targets.
  • Manually validate symlinks in zip files before extraction to ensure they do not point outside the intended extraction directory.
  • Run extraction processes in sandboxed or isolated environments to limit potential damage.
  • Monitor and restrict user uploads of zip files or implement strict validation on uploaded archives.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart