CVE-2026-24884
📋 TL;DR
This vulnerability in the Compressing library allows attackers to write files to arbitrary locations on the host filesystem by exploiting improper symlink validation during TAR archive extraction. It affects all applications using vulnerable versions of the Compressing library for Node.js. Attackers can potentially overwrite sensitive files or create new files in security-critical directories.
💻 Affected Systems
- compressing (Node.js library)
📦 What is this software?
Compressing by Node Modules
Compressing by Node Modules
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through overwriting critical system files, installation of persistent backdoors, or privilege escalation by modifying security configuration files.
Likely Case
Data corruption, service disruption, or limited file system manipulation within the application's context, potentially leading to information disclosure or denial of service.
If Mitigated
Limited impact confined to the application's sandbox or container with proper file system permissions and isolation in place.
🎯 Exploit Status
Exploitation requires the application to process malicious TAR archives. No public proof-of-concept has been identified, but the vulnerability is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.4 or 2.0.1
Vendor Advisory: https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3
Restart Required: No
Instructions:
1. Update compressing dependency in package.json to ^1.10.4 or ^2.0.1. 2. Run 'npm update compressing' or 'yarn upgrade compressing'. 3. Verify the update with 'npm list compressing' or 'yarn list compressing'.
🔧 Temporary Workarounds
Validate archive sources
allOnly extract TAR archives from trusted sources and implement validation checks before extraction
Use alternative extraction libraries
allTemporarily switch to alternative TAR extraction libraries that are not vulnerable
🧯 If You Can't Patch
- Implement strict file system permissions to limit the application's write access to necessary directories only
- Run the application in a container or sandbox with restricted file system access
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list compressing' to see if version is 1.10.3 or earlier, or 2.0.0Check Version:
npm list compressing | grep compressingVerify Fix Applied:
After updating, verify compressing version is 1.10.4 or higher (for 1.x) or 2.0.1 or higher (for 2.x)📡 Detection & Monitoring
Log Indicators:
- Unexpected file writes outside expected extraction directories
- Errors related to symlink resolution or file permission issues during archive extraction
Network Indicators:
- Incoming TAR archives from untrusted sources
- Archive extraction requests with unusual file paths
SIEM Query:
process.name:node AND file.path:* AND file.operation:write AND NOT file.path:/expected/extraction/path/*