CVE-2026-24884
HIGHcompressing < 2.0.1 and < 1.10.4 - Arbitrary File Write via Symbolic Link Extraction
Title source: llmDescription
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3
Patch x_refsource_misc
https://github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c
Scores
CVSS v3
8.4
EPSS
0.0027
EPSS Percentile
17.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-59
Status
published
Products (3)
node-modules/compressing
2.0.0
node-modules/compressing
< 1.10.4
npm/compressing
2.0.0 - 2.0.1npm
Published
Feb 04, 2026
Tracked Since
Feb 18, 2026