📄 Description (English)
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5.
🤖 AI Executive Summary
CVE-2026-40931 is a critical path traversal vulnerability in the Compressing Node.js library that allows attackers to bypass directory validation through symbolic link exploitation. The vulnerability affects versions prior to 2.1.1 and 1.10.5, enabling arbitrary file extraction outside intended directories. With public exploits available and widespread use of Node.js in Saudi enterprises, this poses an immediate risk to application security across multiple sectors.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 06:32
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using Node.js-based applications, particularly: Banking sector (SAMA-regulated institutions) processing financial transactions and data compression; Government agencies (NCA oversight) handling sensitive citizen data; E-commerce and fintech platforms compressing user information; Telecommunications companies (STC, Mobily) managing customer data; Healthcare providers processing patient records; Energy sector (ARAMCO, utilities) managing operational data. The logical vs. physical path validation bypass enables attackers to extract sensitive files during decompression operations, potentially exposing PII, financial data, and critical infrastructure information.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Fintech and Payment Processing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Node.js applications using Compressing library versions <2.1.1 or <1.10.5 via npm audit and dependency scanning
2. Implement input validation to reject archive files with suspicious symbolic links before processing
3. Run decompression operations in isolated containers with minimal filesystem permissions
4. Monitor for suspicious file extraction patterns in application logs
PATCHING GUIDANCE:
1. Upgrade Compressing to version 2.1.1 or 1.10.5 immediately
2. Test patches in development environment before production deployment
3. Implement staged rollout to minimize service disruption
COMPENSATING CONTROLS (if patching delayed):
1. Disable automatic decompression features until patched
2. Implement strict file permission policies (umask 0077 for extraction directories)
3. Use chroot/containerization to isolate decompression operations
4. Validate extracted file paths against whitelist before processing
5. Implement filesystem monitoring for unexpected symbolic link creation
DETECTION RULES:
1. Monitor for symlink creation in temporary extraction directories
2. Alert on file extraction attempts outside designated directories
3. Track failed path validation attempts in application logs
4. Monitor for unusual archive file structures with embedded symlinks
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تطبيقات Node.js التي تستخدم مكتبة Compressing بإصدارات <2.1.1 أو <1.10.5 عبر npm audit
2. تنفيذ التحقق من المدخلات لرفض ملفات الأرشيف التي تحتوي على روابط رمزية مريبة
3. تشغيل عمليات فك الضغط في حاويات معزولة بأذونات نظام ملفات محدودة
4. مراقبة أنماط استخراج الملفات المريبة في سجلات التطبيق
إرشادات التصحيح:
1. ترقية Compressing إلى الإصدار 2.1.1 أو 1.10.5 فوراً
2. اختبار التصحيحات في بيئة التطوير قبل نشرها في الإنتاج
3. تنفيذ طرح مرحلي لتقليل انقطاع الخدمة
الضوابط البديلة (إذا تأخر التصحيح):
1. تعطيل ميزات فك الضغط التلقائي حتى يتم التصحيح
2. تنفيذ سياسات أذونات الملفات الصارمة
3. استخدام chroot/containerization لعزل عمليات فك الضغط
4. التحقق من مسارات الملفات المستخرجة مقابل قائمة بيضاء
5. مراقبة نظام الملفات للكشف عن إنشاء روابط رمزية غير متوقعة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Monitoring and logging of access to information
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and inventory
SAMA CSF PR.DS-6 - Data protection and integrity
SAMA CSF DE.CM-1 - Detection and monitoring
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1 - Asset management
ISO 27001:2022 A.14.2 - Secure development
ISO 27001:2022 A.12.4 - Logging and monitoring
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 11.2 - Vulnerability scanning
🔗 References & Sources 2
🔗
https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 2 entries
node-modules:compressing
node-modules:compressing