CVE-2026-40931
Published: 21 April 2026
Summary
CVE-2026-40931 is a high-severity Link Following (CWE-59) vulnerability in Node-Modules Compressing. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the flawed path validation in the Compressing library by installing fixed versions 2.1.1 or 1.10.5.
Requires validating path inputs to account for filesystem state including symbolic links, mitigating the logical vs. physical divergence exploited in directory poisoning.
Enforces deny-all/permit-by-exception policies to block execution of vulnerable Compressing library versions on the system.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary file read/write outside intended directories via symlink-based path validation bypass during compress/uncompress operations, directly facilitating local data collection (T1005), overwriting of critical files for destruction (T1485), and stored data manipulation (T1565.001).
NVD Description
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the…
more
destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5.
Deeper analysisAI
CVE-2026-40931 is a vulnerability in the Compressing library, a Node.js module for compressing and uncompressing files, affecting versions prior to 2.1.1 and 1.10.5. The issue stems from a flawed patch for the prior CVE-2026-24884, where the isPathWithinParent utility performs only logical string validation to check if a resolved path starts with the destination directory string. This fails to consider the actual filesystem state, creating a "logical vs. physical" divergence that enables bypass via directory poisoning with pre-existing symbolic links. It is classified under CWE-59 (Improper Link Resolution Before File Access) with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker with no privileges required can exploit this vulnerability by creating pre-existing symbolic links that poison target directories. During compression or uncompression operations, the inadequate path validation allows the attacker to bypass restrictions, enabling arbitrary file access outside the intended destination directory. This results in high-impact confidentiality, integrity, and availability violations, such as overwriting critical files or extracting contents to unauthorized locations.
The GitHub security advisory (GHSA-4c3q-x735-j3r5) confirms the vulnerability is fixed in Compressing versions 2.1.1 and 1.10.5, recommending immediate upgrades to these patched releases as the primary mitigation.
Details
- CWE(s)