<Vulnerability name="CVE-2026-53486">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-14T20:07:14</PublicDate>
    <Bugzilla id="2500679" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500679" xml:lang="en:us">
decompress: @xhmikosr/decompress: Decompress: Arbitrary file read/write via crafted archive extraction
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>8.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink entries are created without checking where targets point, path containment used a string prefix comparison, and file modes failed to remove setuid, setgid, or sticky bits. This issue is fixed in @xhmikosr/decompress versions 10.2.1 and 11.1.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the decompress package for Node.js. A remote attacker can exploit this vulnerability by crafting a malicious archive. When the archive is extracted, it can create files and links outside the intended directory, leading to unauthorized reading or writing of files. This is due to improper handling of hardlink and symlink entries, insufficient path containment checks, and failure to remove setuid, setgid, or sticky bits from file modes. This can result in high confidentiality and integrity impacts.
    </Details>
    <Statement xml:lang="en:us">
Red Hat Build of Keycloak, Red Hat Advanced Cluster Management (VolSync), Red Hat Hardened Images (dotnet8.0), and the Fedora/EPEL yarnpkg packages bundle the original, unmaintained npm decompress package (version 4.2.1 or earlier), which does not receive an upstream fix for this issue. None of these components use the actively maintained @xhmikosr/decompress fork that received the fix in versions 10.2.1 and 11.1.3. Red Hat rates this issue with a CVSS score of 8.1 (Important), reflecting that in these products archive extraction is performed on locally supplied or build-time archives rather than automatically on arbitrary network-supplied input, which Red Hat scores as requiring user interaction (UI:R) in contrast to the upstream CVSS score of 9.1.
    </Statement>
    <Mitigation xml:lang="en:us">
There is no upstream fix for the original, unmaintained decompress npm package used by these components (last release 4.2.1). The maintained fork, @xhmikosr/decompress, resolves this issue in versions 10.2.1 and 11.1.3, but is not used by any affected Red Hat component. As a general mitigation, only extract archives from trusted sources with the affected tooling, run extraction as a non-root user to prevent the setuid/setgid/sticky-bit issue from creating a privileged file, and verify that any symlinks or hardlinks produced by extraction resolve inside the intended output directory.
    </Mitigation>
    <AffectedRelease impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-15T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:40415">RHSA-2026:40415</Advisory>
        <Package name="dotnet8-0-main">dotnet8-0-main-8.0.128-1.2.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:acm:2">
        <ProductName>Red Hat Advanced Cluster Management for Kubernetes 2</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>rhacm2/volsync-operator-bundle</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:acm:2">
        <ProductName>Red Hat Advanced Cluster Management for Kubernetes 2</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>rhacm2/volsync-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:build_keycloak:">
        <ProductName>Red Hat Build of Keycloak</ProductName>
        <FixState>Affected</FixState>
        <PackageName>decompress</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-53486
https://nvd.nist.gov/vuln/detail/CVE-2026-53486
https://github.com/XhmikosR/decompress/commit/281cefa00cd4275c10479bc5f1abba6b14dee8bd
https://github.com/XhmikosR/decompress/commit/60b5299402e72b0b53ca2e55222e9a1ccb44afae
https://github.com/XhmikosR/decompress/commit/9fcda4b0a66ca22dc8d337f9b0e7c30293c5fb89
https://github.com/XhmikosR/decompress/commit/aca5aac415dc04a6fae5200e51368cff436a09dd
https://github.com/XhmikosR/decompress/releases/tag/v10.2.1
https://github.com/XhmikosR/decompress/releases/tag/v11.1.3
https://github.com/XhmikosR/decompress/security/advisories/GHSA-mp2f-45pm-3cg9
    </References>
</Vulnerability>