CVE-2026-56876
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk24th percentile - higher than 24% of all known CVEs
Summary
The extract-zip library does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip extracts the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.
Risk Assessment
The risk involves potential unauthorized access to sensitive system files or writing malicious data outside the target directory, which could compromise system confidentiality, integrity, or availability.
Recommendation
It is recommended to immediately update the extract-zip library to the latest version that includes a fix for symlink validation. If an update is not available, temporarily stop using extract-zip to extract archives from untrusted sources.
Original NVD description (English source)
extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the extraction directory. Depending on how extract-zip is used, an attacker could read or write to arbitrary files.

