CVE-2026-24884
Unknown Unknown - Not Provided
Symlink Traversal in Compressing TAR Extraction Allows File Overwrite

Publication date: 2026-02-04

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24884
EUVD
EUVD-2026-5368
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
node-modules compressing to 1.10.4 (exc)
node-modules compressing 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24884 is a security vulnerability in the 'compressing' Node.js module used for extracting TAR archives. In affected versions (2.0.0, 1.10.3 and prior), the module restores symbolic links (symlinks) during extraction without validating their targets. This allows an attacker to craft a malicious TAR archive containing symlinks that point outside the intended extraction directory."}, {'type': 'paragraph', 'content': 'When such an archive is extracted, subsequent file entries can be written to arbitrary locations on the host file system by following these symlinks. This can lead to unauthorized file writes or overwrites outside the extraction directory, potentially compromising system security.'}, {'type': 'paragraph', 'content': 'The root cause is that while the module sanitizes destination paths, it does not restrict or validate where symlink targets point, enabling path traversal and symlink escape attacks.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts depending on the environment where the 'compressing' module is used. An attacker supplying a crafted TAR archive can cause arbitrary file writes outside the intended extraction directory."}, {'type': 'list_item', 'content': 'Overwriting sensitive files or creating new files in security-critical locations on the host system.'}, {'type': 'list_item', 'content': 'Potential code execution or privilege escalation if files are written to executable or privileged locations.'}, {'type': 'list_item', 'content': 'Data corruption or denial of service by modifying or replacing important system or application files.'}, {'type': 'paragraph', 'content': 'The vulnerability has a high severity rating (CVSS v3 score 8.4) with low attack complexity and no required privileges or user interaction, making it a significant risk.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves malicious TAR/TGZ archives containing symlinks or file paths that escape the intended extraction directory, leading to arbitrary file writes. Detection involves inspecting TAR archives for suspicious entries such as symlinks pointing outside the extraction directory or file paths with path traversal sequences like '../'."}, {'type': 'paragraph', 'content': 'You can manually inspect TAR archives before extraction using commands like:'}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep '\\.\\./' # Lists entries with path traversal sequences"}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep '^l' # Lists symlink entries"}, {'type': 'paragraph', 'content': 'For symlink entries, further manual inspection is needed to verify if their targets point outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring extraction logs or enabling warnings in patched versions can help detect skipped entries due to path or symlink validation failures.'}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade the 'compressing' Node.js module to a patched version where this vulnerability is fixed."}, {'type': 'list_item', 'content': 'Upgrade to version 1.10.4 or later if using the 1.x branch.'}, {'type': 'list_item', 'content': 'Upgrade to version 2.0.1 or later if using the 2.x branch.'}, {'type': 'paragraph', 'content': 'These versions include strict path and symlink target validations during TAR archive extraction, preventing files from being written outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'Until upgrading, avoid extracting untrusted TAR/TGZ archives with the vulnerable versions of the compressing module.'}, {'type': 'paragraph', 'content': 'If extraction of untrusted archives is necessary, consider using alternative extraction tools that enforce path and symlink validation or manually inspect archives before extraction.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart