{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40931", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.518Z", "datePublished": "2026-04-21T20:57:09.840Z", "dateUpdated": "2026-04-22T13:52:42.877Z"}, "containers": {"cna": {"title": "Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5"}], "affected": [{"vendor": "node-modules", "product": "compressing", "versions": [{"version": ">=2.0.0, < 2.1.1", "status": "affected"}, {"version": "< 1.10.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:57:09.840Z"}, "descriptions": [{"lang": "en", "value": "Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this \"Logical vs. Physical\" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5."}], "source": {"advisory": "GHSA-4c3q-x735-j3r5", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:51:59.094969Z", "id": "CVE-2026-40931", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:52:42.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40931", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:51:59.094969Z"}}}], "references": [{"url": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:52:27.989Z"}}], "cna": {"title": "Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing", "source": {"advisory": "GHSA-4c3q-x735-j3r5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "node-modules", "product": "compressing", "versions": [{"status": "affected", "version": ">=2.0.0, < 2.1.1"}, {"status": "affected", "version": "< 1.10.5"}]}], "references": [{"url": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5", "name": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this \"Logical vs. Physical\" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T20:57:09.840Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40931", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:52:42.877Z", "dateReserved": "2026-04-15T20:40:15.518Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T20:57:09.840Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:node-modules:compressing:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "734A2799-2D6B-48E1-BA28-13633AB1A458", "versionEndExcluding": "1.10.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:node-modules:compressing:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6445E79F-051C-40AF-A23A-6174BF2B41E8", "versionEndExcluding": "2.1.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this \"Logical vs. Physical\" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5."}], "id": "CVE-2026-40931", "lastModified": "2026-04-23T15:49:20.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-21T22:16:19.247", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.10.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "compressing", "source": "cna", "vendor": "node-modules"}, "product": "compressing", "vendor": "node-modules"}], "analysis": {"en": {"generated_at": "2026-04-22T07:08:52.378113+00:00", "value": {"mitigation_remediation": ["Update the compressing library to version 2.1.1 or 1.10.5 or newer.", "Remove or disable pre\u2011existing symbolic links in archive extraction paths.", "Implement additional runtime checks that verify physical path containment before writing files."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via Symlink-Based Directory Traversal"}, "threat_synthesis": {"affected_systems": "The issue affects the node\u2011modules:compressing library in versions prior to 2.1.1 and 1.10.5. These versions are used by any Node.js application that relies on the compressing module for handling archive files. Only the patched releases (2.1.1 and 1.10.5) contain the proper filesystem verification that prevents this path traversal.", "description_and_impact": "The vulnerability is in the compressing library for Node.js, specifically in the isPathWithinParent utility that performs a purely logical string check to confirm that a resolved extraction path begins with the intended destination directory. This vulnerability is a CWE-59 Path Traversal flaw. This check ignores the actual filesystem state, creating a divergence between logical and physical paths. An attacker can exploit this by placing a pre\u2011existing symbolic link that points outside the intended directory, a technique known as directory poisoning. When the check is bypassed, archive extraction can write files to arbitrary locations, allowing the attacker to overwrite or create files that the application or user is not authorized to modify, potentially leading to remote code execution or privilege escalation. The fix is included in versions 2.1.1 and 1.10.5.", "risk_and_exploitability": "The CVSS score of 8.4 indicates a high impact vulnerability. The EPSS score is not available, but the KEV status indicates it is not currently listed as a known exploited vulnerability. Attackers would need the ability to provide a malicious archive or set up a symbolic link before extraction. By exploiting the vulnerability, they can cause the library to write arbitrary data outside the intended directory, which may lead to arbitrary code execution if the application later executes those files. The risk is significant for any code that processes archives from untrusted sources."}}}}, "created": "2026-04-22T03:45:06.830270+00:00", "updated": "2026-04-22T07:15:11.668879+00:00", "vendors": ["node-modules", "node-modules$PRODUCT$compressing"]}