CVE-2026-24884
HIGH
GHSA-cc8f-xg8v-72m3
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
Analysis
Compressing library versions 1.10.3 and prior, and 2.0.0 fail to validate symbolic link targets during TAR archive extraction, allowing attackers to write files to arbitrary locations on the filesystem. Public exploit code exists for this vulnerability, which could enable overwriting critical system files or establishing persistence. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems and applications using Compressing library versions 2.0.0, 1.10.3, or earlier through dependency scanning. Within 7 days: Apply vendor patch to upgrade Compressing to patched versions across all environments (development, staging, production). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today