CVE-2026-24884: Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
compressing restores symlinks from TAR archives without validating their targets. By combining a malicious symlink with a subsequent file entry, an attacker can redirect extracted files to arbitrary locations on the host.
References
- github.com/advisories/GHSA-cc8f-xg8v-72m3
- github.com/node-modules/compressing
- github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c
- github.com/node-modules/compressing/commit/ce1c0131c401c071c77d5a1425bf8c88cfc16361
- github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3
- nvd.nist.gov/vuln/detail/CVE-2026-24884
Code Behaviors & Features
Detect and mitigate CVE-2026-24884 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →