CVE-2026-24884
Symlink Traversal in Compressing TAR Extraction Allows File Overwrite
Publication date: 2026-02-04
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| node-modules | compressing | to 1.10.4 (exc) |
| node-modules | compressing | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24884 is a security vulnerability in the 'compressing' Node.js module used for extracting TAR archives. In affected versions (2.0.0, 1.10.3 and prior), the module restores symbolic links (symlinks) during extraction without validating their targets. This allows an attacker to craft a malicious TAR archive containing symlinks that point outside the intended extraction directory."}, {'type': 'paragraph', 'content': 'When such an archive is extracted, subsequent file entries can be written to arbitrary locations on the host file system by following these symlinks. This can lead to unauthorized file writes or overwrites outside the extraction directory, potentially compromising system security.'}, {'type': 'paragraph', 'content': 'The root cause is that while the module sanitizes destination paths, it does not restrict or validate where symlink targets point, enabling path traversal and symlink escape attacks.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts depending on the environment where the 'compressing' module is used. An attacker supplying a crafted TAR archive can cause arbitrary file writes outside the intended extraction directory."}, {'type': 'list_item', 'content': 'Overwriting sensitive files or creating new files in security-critical locations on the host system.'}, {'type': 'list_item', 'content': 'Potential code execution or privilege escalation if files are written to executable or privileged locations.'}, {'type': 'list_item', 'content': 'Data corruption or denial of service by modifying or replacing important system or application files.'}, {'type': 'paragraph', 'content': 'The vulnerability has a high severity rating (CVSS v3 score 8.4) with low attack complexity and no required privileges or user interaction, making it a significant risk.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves malicious TAR/TGZ archives containing symlinks or file paths that escape the intended extraction directory, leading to arbitrary file writes. Detection involves inspecting TAR archives for suspicious entries such as symlinks pointing outside the extraction directory or file paths with path traversal sequences like '../'."}, {'type': 'paragraph', 'content': 'You can manually inspect TAR archives before extraction using commands like:'}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep '\\.\\./' # Lists entries with path traversal sequences"}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep '^l' # Lists symlink entries"}, {'type': 'paragraph', 'content': 'For symlink entries, further manual inspection is needed to verify if their targets point outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring extraction logs or enabling warnings in patched versions can help detect skipped entries due to path or symlink validation failures.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade the 'compressing' Node.js module to a patched version where this vulnerability is fixed."}, {'type': 'list_item', 'content': 'Upgrade to version 1.10.4 or later if using the 1.x branch.'}, {'type': 'list_item', 'content': 'Upgrade to version 2.0.1 or later if using the 2.x branch.'}, {'type': 'paragraph', 'content': 'These versions include strict path and symlink target validations during TAR archive extraction, preventing files from being written outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'Until upgrading, avoid extracting untrusted TAR/TGZ archives with the vulnerable versions of the compressing module.'}, {'type': 'paragraph', 'content': 'If extraction of untrusted archives is necessary, consider using alternative extraction tools that enforce path and symlink validation or manually inspect archives before extraction.'}] [1, 2, 3]