EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the compressing npm package, specifically in versions up to v2.1.0. The core vulnerabilities are a Partial Fix Bypass of CVE-2026-24884 and an Arbitrary File Overwrite vulnerability caused by a Symlink Path Traversal bypass. The business risk and impact of these vulnerabilities are significant, as they can be exploited via a standard developer workflow, including git clone and running a node application. This can lead to privilege escalation, remote code execution, and data corruption, ultimately resulting in reputational damage to the library and potential financial losses for organizations using the compressing package.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the compressing npm package, specifically in versions up to v2.1.0. The core vulnerabilities are a Partial Fix Bypass of CVE-2026-24884 and an Arbitrary File Overwrite vulnerability caused by a Symlink Path Traversal bypass. The business risk and impact of these vulnerabilities are significant, as they can be exploited via a standard developer workflow, including git clone and running a node application. This can lead to privilege escalation, remote code execution, and data corruption, ultimately resulting in reputational damage to the library and potential financial losses for organizations using the compressing package.[emaillocker id="1283"]
CVE-2026-24884 with a CVSS score of 9.8 – This vulnerability is a Partial Fix Bypass of CVE-2026-24884, where a security patch meant to prevent directory traversal only validates path strings but ignores the filesystem state (symlinks). An attacker can exploit this by creating a poisoned GitHub repository with a malicious symlink pointing to a sensitive target. When the victim extracts the untrusted archive, the library's logic will treat the symlink as a normal path, allowing the underlying fs.writeFile to follow the link and overwrite the sensitive target.
CVE-2026-40931 with a CVSS score of 8.4 – This is an Arbitrary File Overwrite vulnerability caused by a Symlink Path Traversal bypass. The library uses path.resolve on entry names and compares them string-wise with the destination directory. However, it does not check if intermediate directories are symlinks on disk, allowing an attacker to create a poisoned directory that redirects to a location outside the root. When the library writes a file to the poisoned directory, it will follow the symlink and overwrite the sensitive target.
The overall risk and urgency of these vulnerabilities are high, as they can be exploited via a standard developer workflow, including git clone and running a node application. If exploited, these vulnerabilities can lead to privilege escalation, remote code execution, and data corruption, ultimately resulting in reputational damage to the library and potential financial losses for organizations using the compressing package.
RECOMMENDATION:
We recommend you to update compressing to version 2.1.1 or 1.10.5.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-4c3q-x735-j3r5