CVE-2026-56876
Received Received - Intake
Path Traversal in extract-zip Library

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-56876
EUVD
EUVD-2026-39812
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56876 is a vulnerability in the extract-zip library where it does not properly validate symlink targets when extracting zip archives.

When a malicious zip file contains a symlink with a relative path like '../../../../etc/passwd', extract-zip extracts the symlink without checking if it points outside the intended extraction directory.

This allows an attacker to create symlinks that reference arbitrary files on the system, potentially leading to unauthorized reading or writing of files.

Impact Analysis

This vulnerability can have serious impacts depending on how extract-zip is used.

  • An attacker can upload a malicious zip file containing crafted symlinks that point to sensitive system files.
  • When the zip is extracted, these symlinks can allow reading of sensitive files like /etc/passwd or /etc/shadow.
  • It can also allow writing to critical system locations if the server processes or writes to the extracted symlinks.
  • This could lead to unauthorized data access, data modification, privilege escalation, or even remote code execution.
  • Systems affected include server applications accepting user-uploaded zip files, CI/CD pipelines, or any backend using extract-zip to process untrusted archives.
Detection Guidance

This vulnerability involves the extract-zip library extracting symlinks from malicious zip files without validating their targets, allowing path traversal outside the extraction directory.

To detect exploitation attempts or presence of this vulnerability, you can monitor for extraction of zip files containing symlinks with relative paths that point outside expected directories.

  • Inspect zip files before extraction for symlinks with suspicious relative paths like '../../../../etc/passwd'.
  • Use commands like 'unzip -l <file.zip>' to list contents and identify symlinks.
  • After extraction, use 'find <extraction_directory> -type l -ls' to list symlinks and verify their targets.
  • Monitor logs or file system changes for unexpected modifications to sensitive files or directories.
Mitigation Strategies

There is no official patch or remediation available for this vulnerability as the maintainer has been unresponsive for over four years.

Immediate mitigation steps include avoiding the use of the extract-zip library for processing untrusted zip archives.

  • Use alternative libraries such as adm-zip or yauzl that provide proper validation of symlink targets.
  • Manually validate symlinks in zip files before extraction to ensure they do not point outside the intended extraction directory.
  • Run extraction processes in sandboxed or isolated environments to limit potential damage.
  • Monitor and restrict user uploads of zip files or implement strict validation on uploaded archives.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart