8.4
CVE-2026-24884
- EPSS 0.33%
- Veröffentlicht 04.02.2026 19:35:56
- Zuletzt bearbeitet 27.02.2026 20:27:32
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCompressing Vulnerable to Arbitrary File Write via Symlink Extraction
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Node-modules ≫ Compressing SwPlatformnode.js Version < 1.10.4
Node-modules ≫ Compressing Version2.0.0 SwPlatformnode.js
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.251 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8.4 | 2.5 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-59 Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3
https://github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c
https://github.com/node-modules/compressing/commit/ce1c0131c401c071c77d5a1425bf8c88cfc16361