{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/arbitrary-file-overwrite/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-24884"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["npm","supply-chain","symlink","directory-traversal","privilege-escalation","arbitrary-file-overwrite"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the \u003ccode\u003eisPathWithinParent\u003c/code\u003e utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a \u0026ldquo;poisoned path\u0026rdquo; on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via \u003ccode\u003egit clone\u003c/code\u003e makes this vulnerability particularly dangerous.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious Git repository containing a symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) pointing to a sensitive target file or directory (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker generates a malicious payload (e.g., \u003ccode\u003epayload.tar\u003c/code\u003e) containing a file with the same name as the symbolic link (e.g., \u003ccode\u003econfig_file\u003c/code\u003e) and uploads both to their Git repository.\u003c/li\u003e\n\u003cli\u003eVictim clones the attacker\u0026rsquo;s Git repository using \u003ccode\u003egit clone\u003c/code\u003e. This action automatically restores the symbolic link on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eVictim runs an application that utilizes the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e library to extract the \u003ccode\u003epayload.tar\u003c/code\u003e archive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s \u003ccode\u003eisPathWithinParent\u003c/code\u003e function resolves the path to the file being extracted. Due to lack of \u003ccode\u003elstat\u003c/code\u003e checks, the symbolic link is not detected.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efs.writeFile\u003c/code\u003e function follows the symlink, writing the contents of the file from \u003ccode\u003epayload.tar\u003c/code\u003e to the targeted sensitive file (e.g., \u003ccode\u003e/tmp/fake_root/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eArbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistent access or control by overwriting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to overwrite arbitrary files on the victim\u0026rsquo;s system, potentially leading to privilege escalation by modifying sensitive system files such as \u003ccode\u003e/etc/passwd\u003c/code\u003e. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the \u003ccode\u003ecompressing\u003c/code\u003e library up to version v2.1.0 when extracting untrusted archives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecompressing\u003c/code\u003e npm package to a patched version that includes proper symlink handling. This is the primary remediation.\u003c/li\u003e\n\u003cli\u003eInspect Git repositories for suspicious symbolic links before cloning. Use \u003ccode\u003egit ls-tree -r \u0026lt;commit-ish\u0026gt; | grep 120000\u003c/code\u003e to search for symlinks in a repository.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring for file writes to unexpected locations based on the \u003ccode\u003ecompressing\u003c/code\u003e library\u0026rsquo;s activity. Create a detection rule based on \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e to detect writes to sensitive directories such as \u003ccode\u003e/etc\u003c/code\u003e by processes spawned by Node.js that also load the vulnerable \u003ccode\u003ecompressing\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from processes related to the \u003ccode\u003ecompressing\u003c/code\u003e library after file extraction. Create a Sigma rule based on \u003ccode\u003enetwork_connection\u003c/code\u003e and \u003ccode\u003eprocess_creation\u003c/code\u003e to detect unusual outbound connections after archive extraction.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-compressing-symlink-bypass/","summary":"A vulnerability in the `compressing` npm package (\u003c=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.","title":"compressing npm Package Symlink Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-30282"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["arbitrary-file-overwrite","code-execution","information-disclosure","cve-2026-30282"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-30282 describes an arbitrary file overwrite vulnerability affecting UXGROUP LLC\u0026rsquo;s Cast to TV Screen Mirroring version 2.2.77. This vulnerability exists within the application\u0026rsquo;s file import functionality. An attacker with the ability to supply a malicious file through the import process can overwrite critical internal application files. Successful exploitation can lead to arbitrary code execution within the context of the application or the exposure of sensitive information stored within the overwritten files. This vulnerability was published on March 31, 2026, and presents a significant risk to users of the affected software, as it could allow for complete compromise of the application and potentially the underlying system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an instance of UXGROUP LLC Cast to TV Screen Mirroring v2.2.77.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the file import functionality, which could be exposed through a user interface element or API endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file designed to overwrite a critical internal application file. This could involve manipulating file paths or filenames to achieve the desired overwrite location.\u003c/li\u003e\n\u003cli\u003eThe attacker imports the malicious file into the Cast to TV Screen Mirroring application using the intended file import mechanism.\u003c/li\u003e\n\u003cli\u003eThe application processes the imported file, and due to the vulnerability, overwrites the targeted critical internal file.\u003c/li\u003e\n\u003cli\u003eIf the overwritten file contains executable code, the attacker may be able to achieve arbitrary code execution within the context of the application.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the overwritten file contains sensitive configuration data or credentials, the attacker may be able to steal this information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution or stolen information to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-30282 allows an attacker to overwrite critical internal files within UXGROUP LLC Cast to TV Screen Mirroring v2.2.77. This can lead to arbitrary code execution, allowing the attacker to execute malicious commands on the system running the application. Alternatively, the attacker could overwrite files containing sensitive information, such as configuration data or credentials, leading to information exposure and potential further compromise. The CVSS v3.1 score of 9.0 indicates a critical severity, emphasizing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic and system logs for attempts to exploit CVE-2026-30282 by detecting abnormal file import patterns, implement the Sigma rule \u003ccode\u003eDetect Suspicious File Import Overwrite\u003c/code\u003e to identify potential exploit attempts based on file events.\u003c/li\u003e\n\u003cli\u003eSince no patch is mentioned, consider alternative screen mirroring solutions or isolating the affected application to minimize potential damage.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any systems where UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 is installed and showing signs of compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T18:16:47Z","date_published":"2026-03-31T18:16:47Z","id":"/briefs/2026-03-cast-to-tv-overwrite/","summary":"UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 is vulnerable to arbitrary file overwrite (CVE-2026-30282) via the file import process, allowing attackers to overwrite critical internal files and potentially achieve arbitrary code execution or information exposure.","title":"UXGROUP Cast to TV Screen Mirroring Arbitrary File Overwrite Vulnerability (CVE-2026-30282)","url":"https://feed.craftedsignal.io/briefs/2026-03-cast-to-tv-overwrite/"}],"language":"en","title":"CraftedSignal Threat Feed — Arbitrary-File-Overwrite","version":"https://jsonfeed.org/version/1.1"}