CVE-2026-40931: CWE-59: Improper Link Resolution Before File Access ('Link Following') in node-modules compressing
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5.
AI Analysis
Technical Summary
The vulnerability in node-modules compressing library (CVE-2026-40931) stems from improper link resolution before file access (CWE-59). The isPathWithinParent utility performs a logical string check to verify if a resolved path starts with the destination directory string but does not consider the actual filesystem state, such as symbolic links. This discrepancy allows an attacker to exploit directory poisoning by leveraging pre-existing symbolic links to bypass the security check. Affected versions are >=2.0.0 and <2.1.1, and versions below 1.10.5. The issue is resolved in versions 2.1.1 and 1.10.5.
Potential Impact
Successful exploitation can lead to unauthorized file access due to bypassing path validation, potentially compromising confidentiality, integrity, and availability of files handled by the compressing library. The CVSS score of 8.4 reflects high impact with local attack vector, low attack complexity, no privileges required, and no user interaction needed.
Mitigation Recommendations
Upgrade the node-modules compressing library to version 2.1.1 or later, or version 1.10.5 or later, where this vulnerability is fixed. Since no official patch links or remediation levels are provided, rely on these version upgrades as the definitive fix. Patch status is confirmed by the advisory stating the vulnerability is fixed in these versions.
CVE-2026-40931: CWE-59: Improper Link Resolution Before File Access ('Link Following') in node-modules compressing
Description
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in node-modules compressing library (CVE-2026-40931) stems from improper link resolution before file access (CWE-59). The isPathWithinParent utility performs a logical string check to verify if a resolved path starts with the destination directory string but does not consider the actual filesystem state, such as symbolic links. This discrepancy allows an attacker to exploit directory poisoning by leveraging pre-existing symbolic links to bypass the security check. Affected versions are >=2.0.0 and <2.1.1, and versions below 1.10.5. The issue is resolved in versions 2.1.1 and 1.10.5.
Potential Impact
Successful exploitation can lead to unauthorized file access due to bypassing path validation, potentially compromising confidentiality, integrity, and availability of files handled by the compressing library. The CVSS score of 8.4 reflects high impact with local attack vector, low attack complexity, no privileges required, and no user interaction needed.
Mitigation Recommendations
Upgrade the node-modules compressing library to version 2.1.1 or later, or version 1.10.5 or later, where this vulnerability is fixed. Since no official patch links or remediation levels are provided, rely on these version upgrades as the definitive fix. Patch status is confirmed by the advisory stating the vulnerability is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.518Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7e91619fe3cd2cdfaec43
Added to database: 4/21/2026, 9:16:06 PM
Last enriched: 4/21/2026, 9:31:13 PM
Last updated: 4/22/2026, 7:19:10 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.