CVE-2026-24884 Overview
CVE-2026-24884 is a symlink attack vulnerability affecting the Compressing library, a popular compression and decompression utility for Node.js applications. The vulnerability allows attackers to craft malicious TAR archives containing symbolic links that, when extracted, can write files to arbitrary locations outside the intended extraction directory.
Critical Impact
Attackers can overwrite sensitive system files or create new files in security-critical locations by exploiting improper symlink validation during TAR archive extraction.
Affected Products
- Compressing library version 2.0.0 and prior
- Compressing library version 1.10.3 and prior
- Node.js applications utilizing vulnerable Compressing versions
Discovery Timeline
- 2026-02-04 - CVE-2026-24884 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-24884
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack or link following vulnerability. The Compressing library fails to properly validate the target paths of symbolic links embedded within TAR archives before restoring them during extraction.
When a TAR archive is extracted, the library processes each entry sequentially. If the archive contains a symbolic link pointing to a location outside the extraction directory (such as ../../../etc/passwd), the library creates this symlink without validation. Subsequent file entries in the archive that reference this symlink can then write content to the attacker-controlled destination path.
The attack requires local access to provide a malicious TAR archive to an application using the vulnerable library. Once the archive is processed, the attacker gains the ability to write arbitrary content to any location accessible by the process running the extraction.
Root Cause
The root cause of this vulnerability lies in the absence of symlink target validation logic within the TAR extraction routines. The library directly restores symbolic links from the archive without checking whether the resolved target path remains within the designated extraction directory boundary. This lack of path canonicalization and boundary checking enables directory traversal through crafted symlinks.
Attack Vector
The attack exploits the TAR extraction process through a two-stage payload:
Symlink Creation Stage: The attacker crafts a TAR archive containing a symbolic link entry pointing to a sensitive directory outside the extraction root (e.g., a symlink named escape pointing to ../../../etc/).
File Write Stage: Subsequent entries in the archive reference the symlink as a directory, allowing files to be written through the symlink to arbitrary locations (e.g., escape/cron.d/malicious writes to /etc/cron.d/malicious).
The vulnerability requires the attacker to supply a malicious archive to an application that uses the Compressing library for extraction. This could occur through file upload functionality, automated archive processing systems, or package installation workflows.
Detection Methods for CVE-2026-24884
Indicators of Compromise
- TAR archives containing symbolic links with path traversal sequences (../) in their target paths
- Unexpected symbolic links created in extraction directories pointing outside the application root
- Modification timestamps on sensitive system files coinciding with archive extraction events
- Application logs showing extraction operations followed by unauthorized file access attempts
Detection Strategies
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Monitor application logs for extraction operations involving untrusted TAR archives
- Deploy static analysis tools to identify usage of vulnerable Compressing library versions in codebases
- Use software composition analysis (SCA) to track dependencies on affected library versions
Monitoring Recommendations
- Enable audit logging for file system operations in directories commonly targeted by symlink attacks (/etc, /usr, /var)
- Monitor Node.js application processes for unexpected file system access patterns outside application directories
- Implement alerts for newly created symbolic links in application extraction directories
- Track package manifest changes to detect introduction of vulnerable Compressing versions
How to Mitigate CVE-2026-24884
Immediate Actions Required
- Upgrade Compressing library to version 1.10.4 or 2.0.1 which include patches for this vulnerability
- Audit applications to identify all instances where the Compressing library processes untrusted archives
- Implement input validation to reject TAR archives from untrusted sources until patching is complete
- Review extraction directories for any suspicious symbolic links that may indicate prior exploitation
Patch Information
The vulnerability has been addressed in Compressing versions 1.10.4 and 2.0.1. The patches add validation logic to ensure symbolic link targets resolve within the intended extraction directory. Two commits address this issue:
- Initial security fix implementing symlink target validation
- Additional security hardening for comprehensive path resolution checks
For complete vulnerability details, refer to the GitHub Security Advisory GHSA-cc8f-xg8v-72m3.
Workarounds
- Run extraction processes in sandboxed environments or containers with restricted file system access
- Implement pre-extraction scanning to detect and reject archives containing symbolic links with path traversal patterns
- Use operating system-level restrictions (chroot, namespaces) to limit the file system scope accessible during extraction
- Configure application processes to run with minimal privileges, reducing the impact of arbitrary file writes
# Example: Verify Compressing library version in package.json
npm list compressing
# Update to patched version
npm update compressing@2.0.1
# or for 1.x branch
npm update compressing@1.10.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
