<Vulnerability name="CVE-2026-39245">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-09T00:00:00</PublicDate>
    <Bugzilla id="2498814" url="https://bugzilla.redhat.com/show_bug.cgi?id=2498814" xml:lang="en:us">
decompress: decompress: path traversal via indexOf containment bypass allows arbitrary file write (bypass of CVE-2020-12265 fix)
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>6.2</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function (index.js line 29) and the extraction path validation (index.js line 106) use String.indexOf() to verify the resolved path is within the output directory: realDestinationDir.indexOf(realOutputPath) !== 0. This check is flawed because it does not enforce a path separator boundary. For example, "/tmp/app_config".indexOf("/tmp/app") returns 0, incorrectly passing the check even though /tmp/app_config is outside /tmp/app. Combined with the unvalidated symlink creation in the same package, an attacker can write arbitrary files to directories adjacent to the extraction target. This is a bypass of the fix for CVE-2020-12265. The correct check requires appending a path separator: realParentPath.indexOf(realOutputPath + path.sep) !== 0.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the `decompress` component. An improper path containment check allows a local attacker to perform directory traversal. This vulnerability, when combined with unvalidated symlink creation, enables an attacker to write arbitrary files to directories outside the intended extraction target. This issue bypasses a previous fix for CVE-2020-12265.
    </Details>
    <Statement xml:lang="en:us">
Red Hat's assessment aligns with the CVSSv3.1 base score of 6.2 (Moderate) published by CVE.org/CISA for this issue. The vulnerable safeMakeDir/indexOf path-containment check described in this CVE exists only in decompress 4.2.1, the final release that addressed the earlier CVE-2020-12265 path traversal issue. The decompress npm package is no longer maintained upstream and no 4.2.2 release was ever published, despite the CVE description referring to a fix in that version. Some Red Hat products bundle much older decompress releases (0.2.5, 3.0.0) that predate this code path entirely and are not affected by this specific issue.
    </Statement>
    <Mitigation xml:lang="en:us">
No upstream fix is available. The decompress package is unmaintained and no 4.2.2 release was ever published. Applications should avoid extracting untrusted archives with decompress 4.2.1, or migrate to a maintained fork such as @xhmikosr/decompress.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-10T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:37577">RHSA-2026:37577</Advisory>
        <Package name="dotnet8-0-main">dotnet8-0-main-8.0.128-1.1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:acm:2">
        <ProductName>Red Hat Advanced Cluster Management for Kubernetes 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhacm2/volsync-operator-bundle</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:acm:2">
        <ProductName>Red Hat Advanced Cluster Management for Kubernetes 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhacm2/volsync-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>decompress</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-39245
https://nvd.nist.gov/vuln/detail/CVE-2026-39245
https://github.com/kevva/decompress
https://github.com/kevva/decompress/issues/115
https://nvd.nist.gov/vuln/detail/CVE-2020-12265
https://www.npmjs.com/package/decompress
    </References>
</Vulnerability>