PatchSiren cyber security CVE debrief
CVE-2026-39245 kevva CVE debrief
CVE-2026-39245 is a directory traversal and arbitrary file write vulnerability in the decompress package before version 4.2.2. The vulnerability exists due to a flawed path containment check in the safeMakeDir function and extraction path validation, which allows an attacker to write arbitrary files to directories adjacent to the extraction target. This vulnerability can be exploited by an attacker to bypass the fix for CVE-2020-12265. The decompress package is widely used in various applications, and developers and administrators should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- kevva
- Product
- decompress
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Developers and administrators using the decompress package in their applications should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and validating file extraction paths, implementing additional security controls to prevent arbitrary file writes, and ensuring that the decompress package is upgraded to version 4.2.2 or later.
Technical summary
The decompress package before version 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function and extraction path validation use String.indexOf() to verify the resolved path is within the output directory. However, this check is flawed because it does not enforce a path separator boundary. An attacker can write arbitrary files to directories adjacent to the extraction target by exploiting this vulnerability and the unvalidated symlink creation in the same package.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to decompress version 4.2.2 or later
- Review and validate file extraction paths
- Implement additional security controls to prevent arbitrary file writes
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The vulnerability is caused by a flawed path containment check in the safeMakeDir function and extraction path validation. The check uses String.indexOf() to verify the resolved path is within the output directory, but it does not enforce a path separator boundary. This allows an attacker to write arbitrary files to directories adjacent to the extraction target by exploiting this vulnerability and the unvalidated symlink creation in the same package. The vulnerability has been reported and verified through source-item and reference sources.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:04.247Z and has not been modified since then.