CVE-2026-40931 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

CVE-2026-40931 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

CVE-2026-40931

CVE-2026-40931 affects the node module compressing up to versions 2.1.0 and 1.10.4/2.0.1 patching CVE-2026-24884. The root cause is a string-based path check in isPathWithinParent that validates resolved paths without accounting for filesystem state, enabling a Directory Poisoning bypass via pre-...

CVE-2026-40931

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

compressing 后置链接漏洞

Compressing is a compression and decompression tool library open sourced by nodemodules. Versions of compressing before 2.1.1 and 1.10.5 had a backlink vulnerability. This vulnerability stemmed from a flaw in the pure logical string validation within the isPathWithinParent tool, which failed to...

@baosight/federation-types (>=0.0.1 <=0.0.3), @bepp/api (>=1.3.2 <=1.3.17) +18 more potentially affected by CVE-2026-24884 +1 more via compressing (>=1.10.0 <=1.10.3)

compressing NPM version =1.10.0, =0.0.1, =1.3.2, =0.1.2, =0.1.2, =1.0.18, =1.5.2, =1.5.2, =3.3.0, =1.0.3, =1.0.4, =2.2.0-rc.0, =2.2.0-rc.0, =1.0.0, =0.0.1-beta.1, =1.0.0, =1.0.9-beta.5 and more Source cves: CVE-2026-24884, CVE-2026-40931 Source advisory: SNYK:JS-COMPRESSING-16108999...

binarium (=2.1.3), hunter-open-sdk (>=0.0.20 <=2.0.0-beta.18) potentially affected by CVE-2026-24884 +1 more via compressing (=2.0.0)

compressing NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on compressing and may be impacted: - binarium =2.1.3 - hunter-open-sdk =0.0.20, =2.0.0-beta.18 Source cves: CVE-2026-24884, CVE-2026-40931 Source advisory:...

Symlink Attack

Overview compressing is an Everything you need for compressing and uncompressing Affected versions of this package are vulnerable to Symlink Attack via the isPathWithinParent function. An attacker can overwrite arbitrary files outside the intended extraction directory by supplying a malicious...

binarium (=2.1.3), hunter-open-sdk (>=0.0.20 <=2.0.0-beta.18) potentially affected by CVE-2026-24884 +1 more via compressing (=2.0.0)

compressing NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on compressing and may be impacted: - binarium =2.1.3 - hunter-open-sdk =0.0.20, =2.0.0-beta.18 Source cves: CVE-2026-24884, CVE-2026-40931 Source advisory:...

CVE-2026-24884

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...

CVE-2026-24884 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...

CVE-2026-24884 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...

compressing 后置链接漏洞

Compressing is a compression and decompression tool library open source from nodemodules. Compressing versions 1.10.3 and earlier, as well as version 2.0.0, have a backlink vulnerability. This vulnerability arises from not verifying the symbolic link targets when extracting TAR archives, which ma...

Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Arbitrary File Write via Symlink Extraction in github.com/node-modules/compressing Brief Introduction The compressing npm package extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an...

Symlink Attack

Overview compressing is an Everything you need for compressing and uncompressing Affected versions of this package are vulnerable to Symlink Attack via the compressing.tar.uncompress' function, which sanitizes the destination paths of archive entries. An attacker can overwrite or create files in...

@baosight/federation-types (>=0.0.1 <=0.0.3), @bepp/api (>=1.3.2 <=1.3.17) +18 more potentially affected by CVE-2026-24884 via compressing (>=1.10.0 <=1.10.3)

compressing NPM version =1.10.0, =0.0.1, =1.3.2, =0.1.2, =0.1.2, =1.0.18, =1.5.2, =1.5.2, =3.3.0, =1.0.3, =1.0.4, =2.2.0-rc.0, =2.2.0-rc.0, =1.0.0, =0.0.1-beta.1, =1.0.0, =1.0.9-beta.5 and more Source cves: CVE-2026-24884 Source advisory: SNYK:JS-COMPRESSING-15202444...

binarium (=2.1.3), hunter-open-sdk (>=0.0.20 <=2.0.0-beta.18) potentially affected by CVE-2026-24884 via compressing (=2.0.0)

compressing NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on compressing and may be impacted: - binarium =2.1.3 - hunter-open-sdk =0.0.20, =2.0.0-beta.18 Source cves: CVE-2026-24884 Source advisory: SNYK:JS-COMPRESSING-15202444...

binarium (=2.1.3), hunter-open-sdk (>=0.0.20 <=2.0.0-beta.18) potentially affected by CVE-2026-24884 via compressing (=2.0.0)

compressing NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on compressing and may be impacted: - binarium =2.1.3 - hunter-open-sdk =0.0.20, =2.0.0-beta.18 Source cves: CVE-2026-24884 Source advisory: OSV:GHSA-CC8F-XG8V-72M3...

GHSA-CC8F-XG8V-72M3 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Arbitrary File Write via Symlink Extraction in github.com/node-modules/compressing Brief Introduction The compressing npm package extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an...

PT-2026-6407

Arbitrary File Write via Symlink Extraction in github.com/node-modules/compressing Brief Introduction The compressing npm package extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an...