Arbitrary File Write via Symlink Traversal in compressing npm package (CVE-2026-24884)

Vulnerability Key Information Vulnerability Name Arbitrary File Write via Symlink Extraction in compressing Vulnerability Identifiers GHSA ID: GHSA-cc8f-xg8v-72m3 CVE ID: CVE-2026-24884 Affected Scope Affected Versions: <= 1.10.3 Fixed Versions: - Starting from version 2.0.0, the fixed version is 2.0.1 - Starting from versions <= 1.10.3, the fixed version is 1.10.4 Vulnerability Description The npm package restores symbolic links when extracting files from TAR archives, but does not validate their targets. By embedding symbolic links that resolve outside the extraction directory, an attacker can write subsequent file entries to arbitrary locations on the host filesystem. Vulnerability Details Root Cause: cleans the target path of archive entries, but does not validate the target of symbolic links contained within the TAR archive. During extraction, the library creates these symbolic links within the output directory. Later entries resolved through these symbolic links are written to the symbolic link's target rather than the intended extraction root directory, enabling arbitrary file write. Impact: - An attacker can provide a crafted TAR archive to: - Write files outside the intended extraction directory (achieving arbitrary file write via symlink traversal). - Write files to attacker-controlled paths on the host filesystem during extraction by following symbolic links. - In environments where extraction is executed with elevated privileges or where the target is an executable path, this could lead to code execution, privilege escalation, data corruption, or denial of service. Reproduction Steps Environment: - OS: Ubuntu 24.04 - Node.js: v24.12.0 - : 2.0.0 Pseudocode Example: Provides code examples for building a PoC archive and extracting it. Attack Result: After extraction, the output directory contains a symbolic link pointing to , and the file is written to via this symbolic link, demonstrating arbitrary file write outside the extraction directory. Vulnerability Risk Assessment Severity: High (8.4 / 10) CVSS v3 Base Metrics: - Attack Vector: Local - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: High

Goal Reached Thanks to every supporter — we hit 100%!

Arbitrary File Write via Symlink Traversal in compressing npm package (CVE-2026-24884)

More from this source