Description
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`,
The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.
Published: 2026-03-18
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

ApostropheCMS suffered a zip slip vulnerability in the import‑export module where the Gzip extraction logic concatenates archive entry names with the target directory without sanitising them. An attacker can craft a payload containing traversal sequences such as "../../evil.js" which, when processed, is written to arbitrary paths reachable by the Node.js process. By overwriting configuration files, server-side scripts, or executable binaries the attacker can gain full control of the application or host, compromising confidentiality, integrity, and availability.

Affected Systems

The flaw exists in the @apostrophecms/import-export package for all releases prior to v3.5.3. Users who possess Global Content Modify permissions – typically editors or site managers – can trigger the vulnerability through the CMS import interface. The affected component runs under the Node.js environment and can write anywhere within the process’s file‑system access rights.

Risk and Exploitability

The CVSS rating is 10, indicating a critical impact. EPSS shows less than 1% probability of exploitation in the wild, and the flaw is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack requires authenticated access with content‑modify rights and the ability to upload a .tar.gz file; once the credentials are in place, the exploit is straightforward and does not demand additional privileges. The path traversal flaw can be leveraged to achieve remote code execution, making it highly exploitable for attackers with moderate access within the CMS.

Generated by OpenCVE AI on March 24, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @apostrophecms/import-export package to version 3.5.3 or newer.
  • If an upgrade cannot be performed immediately, remove Global Content Modify permission from unauthenticated or untrusted users and disable the import feature for untrusted accounts.
  • Verify that the Node.js process is running with the least privileges required and monitor file‑write operations within the application’s directory to detect any anomalous activity.

Generated by OpenCVE AI on March 24, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mwxc-m426-3f78 ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
History

Tue, 24 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apostrophecms:import-export:*:*:*:*:*:node.js:*:*

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apostrophecms
Apostrophecms import-export
Vendors & Products Apostrophecms
Apostrophecms import-export

Wed, 18 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.
Title ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Apostrophecms Import-export
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T16:04:47.962Z

Reserved: 2026-03-13T15:02:00.627Z

Link: CVE-2026-32731

cve-icon Vulnrichment

Updated: 2026-03-19T16:03:40.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T23:17:29.543

Modified: 2026-03-24T21:31:54.240

Link: CVE-2026-32731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:56Z

Weaknesses