Description
Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.
Published: 2026-03-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write via Path Traversal
Action: Apply Patch
AI Analysis

Impact

Appium's support library contains a ZIP extraction routine that, before version 7.0.6, implements a non‑functional path‑traversal check. The routine creates an Error object when an entry includes a '../' component but never throws it, allowing the extraction to continue. An attacker can supply a malicious ZIP archive and cause the library to write arbitrary files outside the intended destination directory. That capability can lead to overwriting configuration or code files and potentially compromise application behavior or elevate privileges.

Affected Systems

Any installation of @appium/support older than 7.0.6 is affected. All JavaScript‑based extraction paths in the library, not just those using the fileNamesEncoding option, are vulnerable. Projects that rely on Appium’s default ZIP extraction logic will be exposed.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as moderate. The EPSS score is below 1 %, indicating a very low current exploitation probability, and the issue is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a crafted ZIP file to the extraction routine, which may be possible through remote interfaces or when the library processes untrusted uploads. Successful exploitation would allow writing files outside the intended directory, potentially leading to privilege escalation if the process runs with elevated permissions.

Generated by OpenCVE AI on April 16, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @appium/support to version 7.0.6 or later.
  • If an upgrade is not immediately possible, restrict the use of ZipExtractor to trusted inputs or disable processing of arbitrary ZIP files.
  • Verify that any custom wrappers around ZipExtractor implement proper path‑traversal checks before writing files.

Generated by OpenCVE AI on April 16, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rfx7-4xw3-gh4m @appium/support has a Zip Slip arbitrary file write in its ZIP extraction
History

Thu, 07 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Appium appium\/support
CPEs cpe:2.3:a:appium:appium\/support:*:*:*:*:*:node.js:*:*
Vendors & Products Appium appium\/support

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Appium
Appium support
Vendors & Products Appium
Appium support

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.
Title Zip Slip arbitrary file write in @appium/support ZIP extraction
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Appium Appium\/support Support
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:25:09.401Z

Reserved: 2026-03-07T17:53:48.816Z

Link: CVE-2026-30973

cve-icon Vulnrichment

Updated: 2026-03-12T14:24:52.901Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:56.063

Modified: 2026-05-07T20:46:26.913

Link: CVE-2026-30973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses