CNNVD-202602-589 Information
CNNVD ID
CNNVD-202602-589
Related CVE
- CNNVD Published: 2026-02-04
Description (Chinese)
compressing是node_modules开源的一个压缩和解压缩工具库。 Compressing 1.10.3及之前版本和2.0.0版本存在后置链接漏洞,该漏洞源于提取TAR归档时未验证符号链接目标,可能导致任意文件写入。
Description (English)
Compressing is a node modules open source library of compression and decompression. Compressing 1.10.3 and previous and 2.0.0 versions have a backlink loophole, which results from the absence of a symbol link target when extracting the TAR archive, which may lead to any document being written.
Hazard Level
High
Vulnerability Type
后置链接
Affected Vendor
node_modules
Published
2026-02-04
Last Modified
2026-02-24
References
https://github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c https://github.com/node-modules/compressing/commit/ce1c0131c401c071c77d5a1425bf8c88cfc16361 https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3
Patch
https://www.npmjs.com/package/compressing
Share on: