https://feed.craftedsignal.io/tags/arbitrary-file-overwrite/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 18 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/Sat, 18 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-compressing-symlink-bypass/A vulnerability in the `compressing` npm package (<=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.The compressing npm package (v2.1.0 and earlier) contains a critical vulnerability that permits arbitrary file overwrites due to a symlink path traversal bypass. This bypass affects the patch for CVE-2026-24884. The vulnerability arises from an incomplete validation in the isPathWithinParent utility, where path string checks are performed without verifying the filesystem state, specifically symbolic links. By cloning a malicious repository containing a pre-existing symbolic link, a victim unknowingly plants a “poisoned path” on their system. The attacker can then craft a malicious archive that, when extracted by the vulnerable library, follows the symlink and overwrites arbitrary files. The ease of exploitation via git clone makes this vulnerability particularly dangerous.

Attack Chain

1. Attacker creates a malicious Git repository containing a symbolic link (e.g., config_file) pointing to a sensitive target file or directory (e.g., /tmp/fake_root/etc/passwd).
2. Attacker generates a malicious payload (e.g., payload.tar) containing a file with the same name as the symbolic link (e.g., config_file) and uploads both to their Git repository.
3. Victim clones the attacker’s Git repository using git clone. This action automatically restores the symbolic link on the victim’s system.
4. Victim runs an application that utilizes the vulnerable compressing library to extract the payload.tar archive.
5. The compressing library’s isPathWithinParent function resolves the path to the file being extracted. Due to lack of lstat checks, the symbolic link is not detected.
6. The fs.writeFile function follows the symlink, writing the contents of the file from payload.tar to the targeted sensitive file (e.g., /tmp/fake_root/etc/passwd).
7. Arbitrary file overwrite occurs, potentially leading to privilege escalation or code execution.
8. Attacker achieves persistent access or control by overwriting critical system files.

Impact

Successful exploitation allows attackers to overwrite arbitrary files on the victim’s system, potentially leading to privilege escalation by modifying sensitive system files such as /etc/passwd. Remote Code Execution (RCE) can be achieved by overwriting executable binaries or startup scripts. Data corruption can also occur through the modification of application data or database files. This vulnerability impacts developers and organizations using the compressing library up to version v2.1.0 when extracting untrusted archives.

Recommendation

• Upgrade the compressing npm package to a patched version that includes proper symlink handling. This is the primary remediation.
• Inspect Git repositories for suspicious symbolic links before cloning. Use git ls-tree -r <commit-ish> | grep 120000 to search for symlinks in a repository.
• Implement runtime monitoring for file writes to unexpected locations based on the compressing library’s activity. Create a detection rule based on process_creation and file_event to detect writes to sensitive directories such as /etc by processes spawned by Node.js that also load the vulnerable compressing module.
• Monitor network connections originating from processes related to the compressing library after file extraction. Create a Sigma rule based on network_connection and process_creation to detect unusual outbound connections after archive extraction.

]]>criticaladvisorynpmsupply-chainsymlinkdirectory-traversalprivilege-escalationarbitrary-file-overwritehttps://feed.craftedsignal.io/briefs/2026-03-cast-to-tv-overwrite/Tue, 31 Mar 2026 18:16:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-cast-to-tv-overwrite/UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 is vulnerable to arbitrary file overwrite (CVE-2026-30282) via the file import process, allowing attackers to overwrite critical internal files and potentially achieve arbitrary code execution or information exposure.CVE-2026-30282 describes an arbitrary file overwrite vulnerability affecting UXGROUP LLC’s Cast to TV Screen Mirroring version 2.2.77. This vulnerability exists within the application’s file import functionality. An attacker with the ability to supply a malicious file through the import process can overwrite critical internal application files. Successful exploitation can lead to arbitrary code execution within the context of the application or the exposure of sensitive information stored within the overwritten files. This vulnerability was published on March 31, 2026, and presents a significant risk to users of the affected software, as it could allow for complete compromise of the application and potentially the underlying system.

Attack Chain

1. An attacker identifies an instance of UXGROUP LLC Cast to TV Screen Mirroring v2.2.77.
2. The attacker gains access to the file import functionality, which could be exposed through a user interface element or API endpoint.
3. The attacker crafts a malicious file designed to overwrite a critical internal application file. This could involve manipulating file paths or filenames to achieve the desired overwrite location.
4. The attacker imports the malicious file into the Cast to TV Screen Mirroring application using the intended file import mechanism.
5. The application processes the imported file, and due to the vulnerability, overwrites the targeted critical internal file.
6. If the overwritten file contains executable code, the attacker may be able to achieve arbitrary code execution within the context of the application.
7. Alternatively, if the overwritten file contains sensitive configuration data or credentials, the attacker may be able to steal this information.
8. The attacker leverages the code execution or stolen information to further compromise the system or network.

Impact

Successful exploitation of CVE-2026-30282 allows an attacker to overwrite critical internal files within UXGROUP LLC Cast to TV Screen Mirroring v2.2.77. This can lead to arbitrary code execution, allowing the attacker to execute malicious commands on the system running the application. Alternatively, the attacker could overwrite files containing sensitive information, such as configuration data or credentials, leading to information exposure and potential further compromise. The CVSS v3.1 score of 9.0 indicates a critical severity, emphasizing the potential for significant damage.

Recommendation

• Monitor network traffic and system logs for attempts to exploit CVE-2026-30282 by detecting abnormal file import patterns, implement the Sigma rule Detect Suspicious File Import Overwrite to identify potential exploit attempts based on file events.
• Since no patch is mentioned, consider alternative screen mirroring solutions or isolating the affected application to minimize potential damage.
• Investigate and remediate any systems where UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 is installed and showing signs of compromise.

]]>criticaladvisoryarbitrary-file-overwritecode-executioninformation-disclosurecve-2026-30282