CVE-2026-24884
Published: 04 February 2026
Summary
CVE-2026-24884 is a high-severity Link Following (CWE-59) vulnerability in Node-Modules Compressing. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the flaw in the Compressing library through patching to versions 1.10.4 or 2.0.1 that validate symlink targets during TAR extraction.
Requires validation of TAR archive inputs to detect and reject symlinks resolving outside the intended extraction directory, preventing arbitrary file writes.
Enforces least privilege on processes using the Compressing library, limiting the scope of arbitrary file writes via malicious symlinks to only authorized locations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local malicious TAR archive exploitation via symlink/path traversal enables arbitrary file write leading to priv esc (T1068); processing of attacker-supplied archive maps to malicious file execution (T1204.002).
NVD Description
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker…
more
can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
Deeper analysisAI
CVE-2026-24884 affects the Compressing library for Node.js, a compressing and uncompressing library. In versions 2.0.0 and 1.10.3 and prior, the library extracts TAR archives while restoring symbolic links without validating their targets. This CWE-59 improper symlink following issue enables attackers to embed symlinks that resolve outside the intended extraction directory, allowing subsequent file entries to be written to arbitrary locations on the host filesystem. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker with no privileges required can exploit this by providing a malicious TAR archive for extraction via the vulnerable Compressing library. Low attack complexity and no user interaction are needed. Successful exploitation causes subsequent archive contents to follow the malicious symlinks, potentially overwriting sensitive files or creating new files in security-critical locations, depending on the extractor's handling of existing files. This grants high impacts to confidentiality, integrity, and availability.
The issue has been patched in Compressing versions 1.10.4 and 2.0.1. Security advisories recommend updating to these fixed releases. Details on the patches are available in the GitHub security advisory at GHSA-cc8f-xg8v-72m3 and the relevant commits at 8d16c196c7f1888fc1af957d9ff36117247cea6c and ce1c0131c401c071c77d5a1425bf8c88cfc16361.
Details
- CWE(s)