9 matches found
CVE-2026-40931 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...
CVE-2026-40931 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...
CVE-2026-40931
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...
CVE-2026-40931
CVE-2026-40931 affects the node module compressing up to versions 2.1.0 and 1.10.4/2.0.1 patching CVE-2026-24884. The root cause is a string-based path check in isPathWithinParent that validates resolved paths without accounting for filesystem state, enabling a Directory Poisoning bypass via pre-...
compressing 后置链接漏洞
Compressing is a compression and decompression tool library open sourced by nodemodules. Versions of compressing before 2.1.1 and 1.10.5 had a backlink vulnerability. This vulnerability stemmed from a flaw in the pure logical string validation within the isPathWithinParent tool, which failed to...
@andy9879/log-file (>=1.0.1 <=1.0.3), @baosight/federation-types (>=0.0.1 <=0.0.3) +116 more potentially affected by CVE-2026-24884 +1 more via compressing (>=1.10.0 <=1.10.4)
compressing NPM version =1.10.0, =1.0.1, =0.0.1, =1.3.2, =0.1.2, =0.1.2, =1.0.18, =1.5.2, =1.5.2, =1.0.2, =0.0.1-2, =3.3.0, =1.0.3, =1.0.4, =1.0.5 and more Source cves: CVE-2026-24884, CVE-2026-40931 Source advisory: SNYK:JS-COMPRESSING-16108999...
CVE-2026-24884
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...
CVE-2026-24884 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...
compressing 后置链接漏洞
Compressing is a compression and decompression tool library open source from nodemodules. Compressing versions 1.10.3 and earlier, as well as version 2.0.0, have a backlink vulnerability. This vulnerability arises from not verifying the symbolic link targets when extracting TAR archives, which ma...