Path Traversal Vulnerability in Compressing Library by Node Modules
CVE-2026-40931

8.4HIGH

Key Information:

Vendor: Node-modules
Status: Compressing
Vendor: CVE Published:; 21 April 2026

🔔 Create Node-modules Vulnerability Alert

What is CVE-2026-40931?

The Compressing library for Node.js contains a vulnerability that allows attackers to exploit a logical flaw in the isPathWithinParent utility. Prior to versions 2.1.1 and 1.10.5, the vulnerability arises from a validation function that only checks if a resolved path begins with a specified directory. This logical comparison does not consider the actual filesystem state, which can enable an attacker to execute a directory poisoning attack, potentially allowing access to unauthorized directories through pre-existing symbolic links. Users are advised to upgrade to the patched versions to mitigate this risk.

Affected Version(s)

compressing >=2.0.0, < 2.1.1 < 2.0.0, 2.1.1

compressing < 1.10.5 < 1.10.5

References

https://github.com/node-modules/compressing/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40931 Data

JSON