CVE-2026-10732: Zip Slip Vulnerability in decompress Package – Arbitrary File Write Risk
The decompress package contains a critical flaw that allows attackers to write files anywhere on a system by uploading a specially crafted ZIP archive. The vulnerability exploits a race condition in how the library processes ZIP entries: when a ZIP contains two entries with identical paths—first a symlink pointing to an arbitrary location, then a regular file—the library writes the file's contents through the symlink to a location outside the intended extraction folder. This bypasses protections added in previous fixes, potentially enabling remote code execution if an attacker can control ZIP uploads or extraction workflows.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
- Weaknesses (CWE)
- CWE-22, CWE-29
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-30
NVD description (verbatim)
All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. **Note:** This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358).
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10732 is a Zip Slip variant affecting the decompress package across all versions. The root cause lies in microtask processing order within the archive extraction logic. When extracting a ZIP with duplicate-path entries (symlink followed by regular file with the same name), the second entry's readlink check executes before the first entry's symlink resolution completes. This allows file content to traverse the symlink and write outside the extraction root. The vulnerability explicitly bypasses the preventWritingThroughSymlink mitigation introduced for CVE-2020-12265, indicating the original path-traversal defense was insufficient against this specific attack pattern. Affected systems must trust ZIP contents or face arbitrary filesystem writes.
Business impact
Organizations relying on decompress for handling user-supplied or untrusted ZIP archives face direct remote code execution risk. If the library is used in file-upload workflows, CI/CD pipelines, or package management systems, attackers can achieve arbitrary code execution on servers processing those archives. The medium CVSS score (6.4) reflects that user interaction (crafted ZIP delivery) is required, but the impact—arbitrary write access to the filesystem—is severe. Unpatched systems could suffer data exfiltration, malware deployment, or system compromise through a single malicious archive.
Affected systems
All versions of the decompress npm package are vulnerable. Organizations should audit application dependencies to identify where decompress is used directly or indirectly (transitive dependencies). Any system extracting untrusted ZIP archives—including servers accepting file uploads, build systems unpacking artifacts, or tools automating archive processing—is at risk if decompress handles that extraction.
Exploitability
The attack requires an attacker to craft a ZIP archive with the specific dual-entry structure and deliver it to a system running vulnerable decompress code. User interaction is needed in the sense that the vulnerable code must execute and attempt extraction; however, this is trivial in automated contexts (web upload handlers, CI/CD jobs, package installers). No network exploitation or elevated privileges are necessary. The CVSS AC:H reflects the complexity of crafting the malicious ZIP, not the difficulty of delivery or impact. In practice, this is readily exploitable for any service accepting or processing ZIP uploads.
Remediation
Upgrade to a patched version of the decompress package issued after 2026-06-05. Verify the fix directly addresses Zip Slip mitigation and symlink handling in the vendor advisory. Until patching is complete, implement layered defenses: run ZIP extraction in isolated, sandboxed environments (containers, VMs); avoid extracting untrusted archives on production systems; validate ZIP contents before extraction; and consider restricting ZIP extraction capabilities if not essential to your application workflow.
Patch guidance
Check the decompress package repository and npm registry for a release dated after the vulnerability publication (2026-06-05) that explicitly addresses this Zip Slip bypass. The fix should include robust symlink detection that does not rely on processing order assumptions. Update using `npm update decompress` or equivalent in your package manager. Test the patched version in a non-production environment, especially if your application handles untrusted archives, before deploying to production. Verify that the fix does not introduce performance regressions in legitimate extraction workflows.
Detection guidance
Monitor for unusual filesystem writes outside expected directories during or immediately after ZIP extraction operations. Log all ZIP extraction attempts, including source, destination, and file listing. Use filesystem integrity monitoring (AIDE, Samhain, Osquery) to detect unauthorized file creation. In application logs, watch for symlink-related errors or skipped files during extraction—these may indicate exploit attempts. If your infrastructure processes ZIPs, enable archive scanning with updated antivirus/malware tools that detect Zip Slip signatures. Network-based detection is difficult; focus on host-level file activity and process auditing around extraction operations.
Why prioritize this
Despite a medium CVSS score, this vulnerability warrants prompt patching because it explicitly bypasses existing protections and enables arbitrary code execution on systems processing untrusted archives. Organizations with web applications accepting file uploads, package management systems, or CI/CD pipelines should prioritize patching within 30 days. Lower priority for systems that process only internal, pre-validated archives or do not extract ZIP files at all; however, transitive dependencies warrant a complete audit before deprioritizing.
Risk score, explained
The CVSS 3.1 score of 6.4 (Medium) reflects the attack vector (Network), attack complexity (High—requires crafted ZIP structure), privileges required (None), user interaction (Required—ZIP must be processed), and impact scope (Unchanged). However, the score understates risk in common deployment scenarios: automated upload handlers and CI/CD systems that extract archives without human confirmation effectively reduce user interaction friction. The underlying impact—arbitrary write access—is severe; the Medium rating primarily penalizes exploit complexity and the need for the victim system to invoke extraction. Organizations should treat this as High priority regardless of the numerical score if they process untrusted archives.
Frequently asked questions
Does this affect decompress versions prior to publication date (2026-06-05)?
Yes, all versions of decompress are vulnerable according to the CVE description. Versions released after 2026-06-05 may contain patches; verify the vendor advisory for the exact patched version. Do not assume older major versions are safe.
What is a 'Zip Slip' vulnerability, and how is this one different from CVE-2020-12265?
Zip Slip is a class of path-traversal attacks where archive extraction writes files outside the intended directory. CVE-2020-12265 introduced preventWritingThroughSymlink to block symlink abuse. This new vulnerability (CVE-2026-10732) bypasses that fix by exploiting a race condition in processing order: the second entry in the archive is evaluated for symlink content before the first entry's symlink is resolved, allowing the write to leak out. The attack is more sophisticated and confirms the earlier fix was incomplete.
Can I safely extract internal archives created by my organization?
If archives are created exclusively by trusted internal processes and never user-supplied or externally sourced, risk is lower. However, the safest approach is still to patch. If patching is delayed, ensure extraction occurs in an isolated environment (container, VM) with minimal filesystem access to critical resources.
How does this affect package managers or build tools that use decompress?
Any build tool, package manager, or application that depends on decompress (directly or transitively) to extract archives is vulnerable if it processes untrusted ZIPs. Examples include npm scripts that unzip downloads, Docker build processes extracting layer artifacts, or custom deployment pipelines. Audit your dependency tree with `npm ls decompress` and prioritize patching if found.
This analysis is provided for informational purposes and reflects the CVE record and vendor advisories as of the publication date. Security conditions change; always verify current patch status, vendor guidance, and your organization's specific configuration before taking remediation action. No exploit code or detailed attack reproduction is provided herein. If you depend on decompress, consult the package maintainers' official security advisory for authoritative patch guidance and timelines. This page does not constitute professional security advice; engage qualified security personnel for your environment. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-10213MEDIUMAstrBot 4.23.6 Path Traversal in API Endpoint