npm package
compressing
pkg:npm/compressing
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40931 | Hig | 8.4 | >= 2.0.0, < 2.1.1 | 2.1.1 | Apr 21, 2026 | Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination direc | |
| CVE-2026-24884 | — | >= 2.0.0, < 2.0.1 | 2.0.1 | Feb 4, 2026 | Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an |
- affected >= 2.0.0, < 2.1.1fixed 2.1.1
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination direc
- CVE-2026-24884Feb 4, 2026affected >= 2.0.0, < 2.0.1fixed 2.0.1
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an