CVE-2026-39246
Undergoing Analysis Undergoing Analysis - In Progress

Arbitrary Symlink Creation in Decompress Library

Vulnerability report for CVE-2026-39246, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: MITRE

Description

decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kevva decompress to 4.2.1 (inc)
kevva decompress to 4.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to create arbitrary symbolic links during archive extraction, potentially leading to information disclosure by accessing sensitive files outside the intended extraction directory.

Such unauthorized access to sensitive information could result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and health-related data.

Therefore, exploitation of this vulnerability may compromise compliance with these standards by enabling unauthorized disclosure of protected information.

Executive Summary

The vulnerability exists in decompress versions before 4.2.2, where arbitrary symbolic link (symlink) creation is possible during archive extraction.

When processing symlink entries in an archive, the x.linkname field is passed directly to the fs.symlink() function without any validation.

A security check intended to prevent writing through symlinks only applies to file entries, not to the creation of symlinks themselves.

This allows an attacker to craft an archive containing symlink entries that point to sensitive files outside the extraction directory, such as /etc/passwd.

As a result, when the application reads the extracted contents, it may disclose sensitive information.

Impact Analysis

This vulnerability can lead to information disclosure by allowing attackers to create symlinks pointing to sensitive files outside the intended extraction directory.

When the application reads the extracted contents, it may inadvertently expose sensitive data such as system files.

This can compromise the confidentiality of sensitive information on the affected system.

Detection Guidance

This vulnerability involves arbitrary symlink creation during archive extraction by the decompress package, which can lead to information disclosure by following symlinks to sensitive files.

To detect exploitation attempts or presence of this vulnerability on your system, you can check extracted directories for unexpected symlinks pointing outside the intended extraction directory, especially to sensitive system files like /etc/passwd or /root/.ssh/id_rsa.

Suggested commands to find suspicious symlinks after extraction:

  • find /path/to/extracted/files -type l -exec ls -l {} \;
  • find /path/to/extracted/files -type l -xtype l
  • readlink -f /path/to/extracted/files/* to verify where symlinks point

Monitoring network traffic for archive extraction requests or uploads of suspicious archives may also help detect attempts to exploit this vulnerability.

Mitigation Strategies

The primary mitigation is to avoid extracting untrusted or unauthenticated archives using the vulnerable decompress package versions (<= 4.2.1).

Since the vulnerability arises from lack of validation on symlink targets during extraction, immediate steps include:

  • Do not extract archives from untrusted sources with decompress versions prior to 4.2.2.
  • Validate or sanitize symlink entries in archives before extraction to ensure they do not point outside the intended extraction directory.
  • Consider patching or modifying the decompress package code to add validation for symlink targets similar to the existing preventWritingThroughSymlink check for file entries.
  • Monitor and audit extracted files for unexpected symlinks pointing to sensitive locations.

As of the report date, no official fix is available, so these mitigations are critical to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart