Description
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
Published: 2026-02-04
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an attacker to manipulate the extraction of TAR archives in the Compressing library and create symbolic links that point to locations outside the intended extraction directory. The library does not validate these links, enabling a malicious archive to write files to arbitrary paths on the host file system, potentially overwriting critical configuration files or creating files in sensitive areas. The weakness is categorized as CWE‑59, reflecting the insecure handling of symbolic links during file operations.

Affected Systems

The affected package is node-modules Compressing. Versions 1.10.3 and older, as well as 2.0.0, are vulnerable. The issue has been fixed in 1.10.4 and 2.0.1, so any installations still using the older releases are at risk.

Risk and Exploitability

The reported CVSS score is 8.4, indicating high severity. The EPSS score is below 1 %, suggesting low but nonzero exploitation likelihood at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote: an attacker can supply a malicious TAR file to any process that unpacks archives using this library. Successful exploitation could lead to privileged file writes, enabling persistence, privilege escalation, or subsequent remote code execution if executable files are written and executed.

Generated by OpenCVE AI on April 18, 2026 at 13:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Compressing library to at least version 1.10.4 or 2.0.1 where the symlink validation is fixed.
  • If an update is temporarily unavailable, configure the application to extract archives in a dedicated, non‑privileged directory and enforce strict ownership and permission checks so that even if a symlink is written, it cannot target system files.
  • Enhance the extraction logic with an internal check: before following a symbolic link, verify that the resolved path remains inside the intended extraction base directory and reject or reject such links as invalid.

Generated by OpenCVE AI on April 18, 2026 at 13:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cc8f-xg8v-72m3 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
History

Fri, 27 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:node-modules:compressing:*:*:*:*:*:node.js:*:*
cpe:2.3:a:node-modules:compressing:2.0.0:*:*:*:*:node.js:*:*

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Node-modules
Node-modules compressing
Vendors & Products Node-modules
Node-modules compressing

Wed, 04 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
Title Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Node-modules Compressing
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:32:51.788Z

Reserved: 2026-01-27T19:35:20.527Z

Link: CVE-2026-24884

cve-icon Vulnrichment

Updated: 2026-02-05T14:23:13.106Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:05.703

Modified: 2026-02-27T20:27:32.587

Link: CVE-2026-24884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses