securityonline.info 7/12/2026, 1:56:56 PM · external

Popular NPM Decompress Package Hit by Critical Path Traversal Flaw

Popular NPM Decompress Package Hit by Critical Path Traversal Flaw
CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Not in KEV
Patch Patch Status Unknown

THE security vulnerability CVE-2026-53486 affects the @xhmikosr/decompress npm package, allowing crafted archives to write files outside the extraction directory, with a CVSS score of 9.1. The affected versions include < 10.2.1, >= 11.0.0, < 11.1.3, and <= 4.2.1. While there are no confirmed exploitations, the flaw poses significant risk, especially in environments where it runs as root. The vulnerability has been patched in versions 10.2.1 and 11.1.3, which implement stricter checks on link targets.

Users are advised to update immediately or use temporary workarounds, such as only extracting trusted archives and running as a non-root user.

View Primary Source Via securityonline.info

Article by CyberSIXT