CVE-2026-24884

Name of the Vulnerable Software and Affected Versions Compressing versions 1.10.3 and prior Compressing version 2.0.0

Description Compressing, a compressing and uncompressing library for Node.js, does not validate symbolic link targets when extracting TAR archives. This allows an attacker to embed symlinks that resolve to locations outside the intended extraction directory. This can lead to writing files to arbitrary locations on the host file system, potentially overwriting sensitive files or creating new files in security-critical locations. The issue occurs when restoring symbolic links during TAR archive extraction.

Recommendations Update to version 1.10.4 or later. Update to version 2.0.1 or later.