CVE-2026-39245
Undergoing Analysis Undergoing Analysis - In Progress

decompress before 4.2.2 Path Traversal and Arbitrary File Write

Vulnerability report for CVE-2026-39245, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: MITRE

Description

decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function (index.js line 29) and the extraction path validation (index.js line 106) use String.indexOf() to verify the resolved path is within the output directory: realDestinationDir.indexOf(realOutputPath) !== 0. This check is flawed because it does not enforce a path separator boundary. For example, "/tmp/app_config".indexOf("/tmp/app") returns 0, incorrectly passing the check even though /tmp/app_config is outside /tmp/app. Combined with the unvalidated symlink creation in the same package, an attacker can write arbitrary files to directories adjacent to the extraction target. This is a bypass of the fix for CVE-2020-12265. The correct check requires appending a path separator: realParentPath.indexOf(realOutputPath + path.sep) !== 0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kevva decompress to 4.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that the path containment check correctly enforces a path separator boundary when validating extraction paths.

Specifically, update the code to use a check like realParentPath.indexOf(realOutputPath + path.sep) !== 0 instead of realDestinationDir.indexOf(realOutputPath) !== 0.

Additionally, review and restrict unvalidated symlink creation in the package to prevent arbitrary file writes.

Consider upgrading decompress to a version later than 4.2.2 where this issue is fixed.

Executive Summary

This vulnerability exists in decompress versions before 4.2.2 and involves an improper path containment check that allows directory traversal and arbitrary file write.

The issue is in the safeMakeDir function and extraction path validation, which use String.indexOf() to verify that the resolved path is within the intended output directory. However, this check is flawed because it does not enforce a path separator boundary, causing paths like "/tmp/app_config" to incorrectly pass as being inside "/tmp/app".

Because of this flaw, combined with unvalidated symbolic link creation in the package, an attacker can write arbitrary files to directories adjacent to the extraction target, bypassing intended security restrictions.

This vulnerability is a bypass of a previous fix (CVE-2020-12265) and the correct fix requires appending a path separator to the path check.

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files to directories outside the intended extraction directory.

Such arbitrary file writes can lead to unauthorized modification or creation of files, potentially enabling code execution, privilege escalation, or disruption of system or application functionality.

Because the attacker can bypass directory restrictions, this can compromise the integrity and security of the affected system.

Compliance Impact

The vulnerability allows an attacker to perform directory traversal and arbitrary file writes outside the intended extraction directory. This can lead to unauthorized modification or creation of files on the affected system.

Such unauthorized file writes could potentially result in data integrity issues or unauthorized access to sensitive information, which may impact compliance with standards like GDPR or HIPAA that require protection of data confidentiality and integrity.

However, the provided information does not explicitly describe direct impacts on compliance with these regulations.

Detection Guidance

This vulnerability involves a flawed path containment check in the decompress package, which can be exploited by crafted archives to perform directory traversal and arbitrary file writes outside the intended extraction directory.

To detect exploitation attempts or presence of this vulnerability on your system or network, you can:

  • Monitor extraction operations using the decompress package for suspicious file writes outside the expected output directories.
  • Check for unexpected or unauthorized symbolic links created during archive extraction.
  • Audit logs for file creation or modification in directories adjacent to the intended extraction path.

Specific commands depend on your environment, but example commands include:

  • Use find to detect recently created or modified files outside expected directories, e.g., `find /tmp -type f -newermt '2026-07-09'` to find files modified after the vulnerability publication date.
  • Use ls or stat to inspect symbolic links in extraction directories, e.g., `find /tmp/app -type l -ls`.
  • Monitor system logs or application logs for errors or warnings related to decompress package usage.

Until a patch is applied, avoid extracting untrusted archives with the decompress package to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39245. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart