While working on web project, I reviewed the dependency manifest and found that it uses a vulnerable version of compressing. During analysis, I discovered that the archive extraction logic does not properly validate symlink paths against the actual filesystem. This allows attackers to exploit symlink poisoning to bypass path checks and write files outside the intended extraction directory, potentially leading to arbitrary file overwrite, privilege escalation, or code execution.
CVE Report
CVE Link
While working on web project, I reviewed the dependency manifest and found that it uses a vulnerable version of compressing. During analysis, I discovered that the archive extraction logic does not properly validate symlink paths against the actual filesystem. This allows attackers to exploit symlink poisoning to bypass path checks and write files outside the intended extraction directory, potentially leading to arbitrary file overwrite, privilege escalation, or code execution.
CVE Report
CVE Link