Executive Summary

This vulnerability exists in the compressing library for Node.js prior to versions 2.1.1 and 1.10.5. It arises because the security check in the isPathWithinParent utility relies solely on a logical string validation to verify if a resolved path starts with the destination directory string. However, this check does not consider the actual filesystem state, allowing an attacker to exploit the difference between logical and physical paths.

By using a Directory Poisoning technique involving pre-existing symbolic links, an attacker can bypass the security check and potentially access or manipulate files outside the intended directory.

This issue was addressed and fixed in versions 2.1.1 and 1.10.5 of the compressing library.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to bypass directory path validation and potentially access, modify, or delete files outside the intended directory.

• Confidentiality impact: Unauthorized access to sensitive files (C:H).
• Integrity impact: Unauthorized modification of files (I:H).
• Availability impact: Potential deletion or disruption of files (A:H).

Overall, this can lead to data breaches, data loss, or system disruption.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the compressing library to version 2.1.1 or later, or 1.10.5 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary file overwrite, including sensitive system files, which can lead to privilege escalation, remote code execution, data corruption, and loss.

Such impacts can compromise the confidentiality, integrity, and availability of data, which are core principles in compliance standards like GDPR and HIPAA.

By enabling attackers to overwrite critical files without user interaction, this vulnerability increases the risk of unauthorized data access or modification, potentially leading to violations of data protection regulations.

Therefore, if exploited, this vulnerability could negatively affect an organization's ability to maintain compliance with common standards and regulations that require safeguarding sensitive data and system integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable versions of the compressing npm package (>=2.0.0 and <=2.1.0, also <=1.10.4) in your environment. Additionally, detection involves identifying if symbolic links exist within directories used by the compressing library for extraction, which could be exploited by the Directory Poisoning technique.

To detect potentially malicious symlinks on your system, you can use commands to find symbolic links within directories where the compressing library operates. For example, to find symlinks recursively in a directory, you can run:

• find /path/to/extraction/directory -type l -ls

To check the installed version of the compressing package in a Node.js project, use:

• npm list compressing

If you find vulnerable versions installed, consider upgrading to version 2.1.1 or 1.10.5 or later, which include the fix.

For network detection, monitor for suspicious git clone operations from untrusted sources that might contain malicious symlinks, as the attack vector involves cloning attacker-controlled repositories.

Useful 0 Not Useful 0