Node.js Compression Library Vulnerable Again After CVE-2026-24884 Bypass

A publicly disclosed vulnerability has revealed a complete patch bypass for CVE-2026-24884, a previously remediated symlink traversal flaw residing in the widely used Node.js compressing npm library. 

The new vulnerability, formally tracked as CVE-2026-40931, carries a High severity rating and enables arbitrary file writes outside the intended extraction directory, requiring zero prior system access.

The original CVE-2026-24884 addressed malicious symbolic links embedded inside a crafted TAR archive; when the library extracted the archive, those symlinks resolved outside the intended extraction directory, enabling writes to arbitrary locations on the host filesystem.

CVE-2026-24884 Patch Bypass Exposed

The flaw: path.resolve() refers to a pure string manipulator, it never consults the disk and cannot detect whether a directory segment is secretly a symbolic link, Infosecwriteups said.

If the extraction target is /app/out and the entry resolves to /app/out/config/passwd, the string check passes as TRUE, even if /app/out/config is a symlink pointing to /etc.

The OS kernel then faithfully follows the symlink, routing the fs.writeFile() call to /etc/passwd a divergence between what the security check validated and what the filesystem executed.

Secure implementations like node-tar prevent exactly this scenario by iterating through every path segment with fs.lstatSync(), halting extraction if any component resolves to a symlink.

The researchers’ critical discovery was that the attacker need not embed anything inside the archive. Instead, the symlink is pre-planted on the victim’s machine via git clone.

Git treats symbolic links as first-class objects and restores them faithfully during cloning. An attacker publishes a repository containing a symlink (e.g., config_file → /etc/passwd) and waits for a developer or CI/CD pipeline to clone it.

When the application subsequently extracts a tarball containing a file entry named config_file, the library passes the string check and writes directly through the pre-planted symlink overwriting sensitive files with zero additional attacker interaction required.

Infosecwriteups stated that the attack vector particularly dangerous in modern CI/CD pipelines, where automated jobs routinely clone external repositories and process archives without human review.

The maintainers responded within hours of the responsible disclosure, validating the proof of concept and pushing patched versions v2.1.1 and v1.10.5 almost immediately.

The fix replaces string-only path validation with recursive, disk-state verification: fs.lstatSync() is called at every path segment from the extraction root to the target file.

If any segment is identified as a symbolic link, extraction halts immediately, ensuring the logical path and physical filesystem layout are identical before any write is attempted.

Mitigation

All users of the compressing npm library should be upgraded immediately:

• Run npm install compressing@latest or pin to >=2.1.1 / >=1.10.5
• Audit CI/CD pipelines that clone external repositories before performing archive extraction
• Implement recursive lstat checks in any custom extraction logic handling user-supplied archives
• Apply defense-in-depth by running archive extraction in sandboxed or containerized environments with restricted filesystem permissions

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Node.js Compression Library Vulnerable Again After CVE-2026-24884 Bypass appeared first on Cyber Security News.