The vulnerability is in the compressing library for Node.js, specifically in the isPathWithinParent utility that performs a purely logical string check to confirm that a resolved extraction path begins with the intended destination directory. This vulnerability is a CWE-59 Path Traversal flaw. This check ignores the actual filesystem state, creating a divergence between logical and physical paths. An attacker can exploit this by placing a pre‑existing symbolic link that points outside the intended directory, a technique known as directory poisoning. When the check is bypassed, archive extraction can write files to arbitrary locations, allowing the attacker to overwrite or create files that the application or user is not authorized to modify, potentially leading to remote code execution or privilege escalation. The fix is included in versions 2.1.1 and 1.10.5.

The issue affects the node‑modules:compressing library in versions prior to 2.1.1 and 1.10.5. These versions are used by any Node.js application that relies on the compressing module for handling archive files. Only the patched releases (2.1.1 and 1.10.5) contain the proper filesystem verification that prevents this path traversal.

The CVSS score of 8.4 indicates a high impact vulnerability. The EPSS score is not available, but the KEV status indicates it is not currently listed as a known exploited vulnerability. Attackers would need the ability to provide a malicious archive or set up a symbolic link before extraction. By exploiting the vulnerability, they can cause the library to write arbitrary data outside the intended directory, which may lead to arbitrary code execution if the application later executes those files. The risk is significant for any code that processes archives from untrusted sources.