Compressing Library Symlink Poisoning Vulnerability Bypassing CVE-2026-24884 Patch

A vulnerability in the Compressing library for Node.js, present in versions 1.10.0 through 1.10.4 and 2.0.0 through 2.1.0, allows attackers to bypass a security patch related to directory traversal. The issue arises because the library's path validation logic fails to consider the actual filesystem state, particularly when symbolic links are involved. By exploiting this oversight, an attacker can manipulate the extraction process of archived files, leading to arbitrary file overwrites in sensitive system areas. This vulnerability is especially concerning in environments where the extraction is performed by a high-privilege user, as it could result in overwriting critical files like /etc/passwd or /etc/shadow.

Impact

Exploitation of this vulnerability could lead to arbitrary file overwrites, allowing attackers to modify or replace sensitive system files, potentially causing privilege escalation or corruption of important application data. Additionally, this vulnerability undermines the credibility of the Compressing library by exposing its security flaws.

Reproduction

The vulnerability can be reproduced by cloning a GitHub repository that contains a malicious payload, including a symbolic link pointing to a sensitive file, such as /etc/passwd. After cloning the repository, the 'compressing' library version 2.1.0 is used to extract the payload, which follows the symlink and overwrites the targeted file.

Remediation

To address this vulnerability, the Compressing library should update its path validation method to include a recursive check of each directory segment on the filesystem, ensuring that no symbolic links redirect writes outside the intended directory. This can be done by using 'fs.lstatSync' to verify the actual state of the path before performing any file operations.