CVE-2026-24884: Node.js compressing Flaw Lets Malicious TAR Files Write Anywhere on the System

Aegiron 7 mins0

Overview

CVE ID: CVE-2026-24884
Component: compressing (Node.js / npm package)
Vulnerability Type: Symlink Write leading to Arbitrary File Write
CVSS v3.1 Base Score: 8.4
Severity: High
Exploitability: High when untrusted archives are processed
Exploit Availability: Publicly known proof-of-concept–style techniques exist and are widely reproducible for educational and defensive testing purposes

Description

A vulnerability exists in the compressing npm package related to how TAR archives are extracted. During extraction, symbolic links contained inside an archive are restored without sufficient validation of their target paths. Because of this behavior, a crafted TAR file can cause files to be written outside the intended extraction directory.

The issue arises when a TAR archive first creates a symbolic link inside the extraction directory that points to a location elsewhere on the filesystem, and then includes additional file entries that are written through that symbolic link. As a result, file writes occur at attacker-controlled locations, limited only by the permissions of the process performing the extraction.

Affected Versions

  • compressing versions 1.10.3 and earlier
  • compressing version 2.0.0

Fixed Versions

  • compressing 1.10.4
  • compressing 2.0.1

Official Patch / Upgrade Link

Upgrading to one of the fixed versions fully addresses the issue.

Technical Details

When a TAR archive is processed, entries are handled sequentially. The vulnerable logic allows:

  • Creation of symbolic links with absolute paths or traversal paths (../)
  • Subsequent file entries to be resolved through those symbolic links
  • File writes to occur outside the extraction root directory

No canonical path validation or symlink boundary enforcement is applied before file creation. This allows filesystem traversal without using traditional ../ path sequences in file names, bypassing common archive extraction checks.

Attack Scenario

  1. An application accepts a TAR archive from an external or untrusted source.
  2. The archive is extracted using a vulnerable version of compressing.
  3. The archive contains:
    • A symbolic link pointing outside the extraction directory (e.g., to /tmp or /etc)
    • One or more files written through that symbolic link
  4. Files are written to unintended filesystem locations during extraction.

This can result in overwriting configuration files, planting executable scripts, or modifying application data.

Impact

  • Arbitrary file creation or overwrite
  • Potential privilege escalation if sensitive paths are writable
  • Service disruption or configuration tampering
  • Indirect remote code execution in environments where written files are later executed

The impact depends heavily on the privileges of the extraction process and the filesystem layout.

MITRE Mapping

  • CWE-59: Improper Link Resolution Before File Access

Proof of Concept (Educational)

A proof-of-concept archive can be constructed using standard TAR utilities:

  • A symbolic link entry is created that points to an external directory
  • A regular file entry follows, targeting the symlink path

When extracted, the file appears outside the extraction directory. This technique is intended strictly for defensive validation, security testing, and education.

Detection and Monitoring

Relevant Log Sources

  • Application logs showing archive extraction operations
  • Linux audit logs (syscall-level events)
  • Container runtime logs (for containerized deployments)
  • File integrity monitoring logs
  • CI/CD pipeline execution logs

Detection Queries

Linux Auditd (syscall-based)

Detect symlink creation events:

ausearch -sc symlink
ausearch -sc symlinkat

Detect file writes outside expected extraction directories:

ausearch -f /tmp -i
ausearch -f /etc -i

Splunk (Filesystem Write After Archive Extraction)

index=os_logs
| transaction pid maxspan=2m
| search syscall=write OR syscall=creat
| where NOT like(file_path, "/srv/app/extract/%")
| table _time host user pid file_path

Elastic / OpenSearch

event.action:(symlink or write)
and not file.path:/srv/app/extract/*

OSSEC / Wazuh (File Integrity Monitoring)

Monitor unexpected file creation:

/tmp/*
/etc/*
/var/tmp/*

Correlate alerts with application extraction timestamps.

Indicators of Exploitation

  • Symbolic links appearing unexpectedly in extraction directories
  • Files written outside the expected archive destination path
  • Sudden file changes following archive processing
  • New executable files in temporary or configuration directories

Mitigation

  • Upgrade to a fixed version of compressing
  • Avoid extracting archives from untrusted sources
  • Disable or ignore symbolic link restoration during extraction where possible
  • Perform archive extraction in isolated environments (containers, chroot, restricted users)
  • Enforce least-privilege execution for services handling archives
  • Implement post-extraction validation to ensure no files were written outside the intended directory

Remediation Verification

After upgrading:

  • Attempt extraction of a test archive containing symlinks
  • Confirm that symlink traversal outside the extraction root is blocked
  • Validate that no external file writes occur

Final Takeaway

CVE-2026-24884 is a high-severity arbitrary file write vulnerability caused by improper handling of symbolic links during TAR extraction. The issue is straightforward to exploit when untrusted archives are processed and can lead to serious system compromise. Timely patching, extraction hardening, and filesystem monitoring are essential to reducing risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.