- CVE: CVE-2026-53486
- CVSS: 9.1 (Critical · CVSSv3)
- Product: @xhmikosr/decompress (npm)
- Affected: < 10.2.1, >= 11.0.0, < 11.1.3, <= 4.2.1
- Impact: Decompress: Archive extraction can create files and links outside of the target directory
- Status: No confirmed exploitation yet
- Patched in: 10.2.1, 11.1.3
- Action: Update to 10.2.1, 11.1.3 now
TL;DR
A high-severity decompress npm vulnerability lets crafted archives write files outside the extraction folder. Tracked as CVE-2026-53486, the flaw carries a CVSS score of 9.1. It sits in a library that npm serves more than 2.8 million times each week. So far, no public proof-of-concept or in-the-wild attack has been confirmed.
Why This decompress Flaw Matters
Archive tools run almost everywhere, from CI pipelines to install scripts. Many services also download archives before they unpack them. As a result, an attacker can reach this bug across the network. The danger grows when it runs as root inside a container. A crafted archive can then drop a setuid file and grab root.
How the Attack Works
The package writes archive entries without checking where links point. A hardlink can aim at any file the process reads, which exposes that file inside the output. A symlink, by contrast, can point outside the folder and hijack a later write. The old containment check compared paths with a simple string prefix. Because of that weakness, an entry could escape into a sibling directory. On top of this, file modes kept the setuid, setgid, and sticky bits.
Affected Versions
This decompress npm vulnerability touches every format the library handles. That list covers tar, tar.gz, tar.bz2, and zip by default. The original decompress project is unmaintained. Therefore every release through 4.2.1 stays exposed, and no upstream fix exists.
Patch and Mitigation
Maintainers fixed the bug in the xhmikosr decompress fork at 10.2.1 and 11.1.3. The version 11.1.3 release fixes link targets, checks the real path with path.relative, and strips risky mode bits. Upgrade to 11.1.3 or later as soon as you can.
Temporary workarounds
Until you patch, extract only archives you trust. Also run it as a non-root user, since that blunts the mode problem. Finally, reject any link that points outside the target after you unpack.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.