CVE-2026-40931

Name of the Vulnerable Software and Affected Versions compressing versions prior to 1.10.5 compressing versions prior to 2.1.1

Description A partial fix bypass exists in the compressing Node.js library. The isPathWithinParent() function in lib/utils.js relies on logical string validation using path.resolve() to verify if a resolved path starts with the destination directory. However, it fails to account for the actual filesystem state, creating a divergence between the logical path and the physical path. An attacker can exploit this using a Directory Poisoning technique with pre-existing symbolic links. For example, if a symbolic link is planted in the destination directory pointing to a sensitive system area, the library may validate the path as safe while the operating system follows the link to write files outside the intended extraction root. This can lead to arbitrary file writes, potentially resulting in privilege escalation or remote code execution by overwriting system configuration files or binaries. A primary attack vector is the supply chain via Git clone, as Git preserves symbolic links during the cloning process, automatically deploying the malicious link to the victim's machine.

Recommendations Update to version 1.10.5 or later. Update to version 2.1.1 or later. As a temporary workaround, restrict the use of the isPathWithinParent() function or avoid extracting untrusted archives into directories where symbolic links may already exist.