Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
- Executive Summary This report documents a critical security research finding in the compressing npm package (specifically tested on the latest v2.1.0). The core vulnerability is a Partial Fix Bypass of CVE-2026-24884. The current patch relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By …