CVE-2026-24884 — HIGH (8.4)

Q: How severe is CVE-2026-24884?

CVE-2026-24884 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-24884?

Check the references section above for vendor advisories and patch information. Affected products include: Node-Modules Compressing.

Vulnerability Description

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.

CVSS Score

8.4

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Node-Modules	Compressing	< 1.10.4

Related Weaknesses (CWE)

CWE-59

References

FAQ

What is CVE-2026-24884?

CVE-2026-24884 is a vulnerability with a CVSS score of 8.4 (HIGH). Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. B...

How severe is CVE-2026-24884?

CVE-2026-24884 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-24884?

Check the references section above for vendor advisories and patch information. Affected products include: Node-Modules Compressing.