CVE-2026-40931Node-modules · Compressing
Vulnerability data via NVD (ingested)
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but fails to account for the actual filesystem state. By exploiting this "Logical vs. Physical" divergence, an attacker can bypass the security check using a Directory Poisoning technique (pre-existing symbolic links). This vulnerability is fixed in 2.1.1 and 1.10.5.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-40931product:"Node-modules Compressing"http.html:"Compressing"More intel sources (5)
vuln:CVE-2026-40931vulnerabilities.cve_id: CVE-2026-40931CVE-2026-40931CVE-2026-40931"CVE-2026-40931" exploit -site:nvd.nist.gov