Symbolic Link Vulnerability in Compressing Library by Node Modules
CVE-2026-24884

8.4HIGH

Key Information:

Vendor

Node-modules

Status
Compressing
Vendor
CVE Published:
4 February 2026

What is CVE-2026-24884?

The Compressing library for Node has a vulnerability where it extracts TAR archives while improperly handling symbolic links. This flaw allows attackers to create symlinks that resolve outside the intended extraction directory, potentially leading to the arbitrary writing of files in sensitive locations on the host file system. If not addressed, this could enable the overwrite of existing files or the creation of new files in areas that may jeopardize system integrity. The issue has been resolved in versions 1.10.4 and 2.0.1.

Affected Version(s)

compressing = 2.0.0 = 2.0.0

compressing < 1.10.4 < 1.10.4

References

https://github.com/node-modules/compressing/security/advi...
x_refsource_CONFIRM
https://github.com/node-modules/compressing/commit/8d16c1...
x_refsource_MISC
https://github.com/node-modules/compressing/commit/ce1c01...
x_refsource_MISC

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.