Outline’s ZipHelper.extract function computed extraction paths by concatenating a full filesystem path with the entry name and then passing the result through trimFileAndExt. When the joined path exceeded the 4096‑byte MAX_PATH_LENGTH, trimFileAndExt inadvertently dropped the directory components and returned only the basename. Subsequent fs.createWriteStream calls therefore created files relative to the process working directory instead of within the intended extraction sandbox. As the cleanup routine removed only the temporary extraction directory, these out‑of‑sandbox files persisted. The flaw permits an attacker who can supply a malicious zip file during collection import to write arbitrary files on the server, potentially including executable scripts, which could lead to remote code execution. The weakness corresponds to CWE‑22, a path traversal vulnerability.

The issue is present in the Outline collaborative documentation platform, specifically in all releases prior to 1.7.0. Any deployment that accepts ZIP imports—typically used for document synchronization across teams—is vulnerable until the code is updated or otherwise mitigated.

The CVSS score of 8.7 marks the flaw as high‑severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the upload of a malicious ZIP file to the import endpoint; based on the description, this upload probably requires a user who has import privileges, though the exact authentication requirements are not explicitly documented, so this inference is made. If an attacker can reach the import service, no host‑wide administrative privileges are necessary, since the vulnerability writes files outside the intended sandbox. The combination of a high CVSS score, lack of mitigation controls, and the relative ease of triggering the path truncation suggests a significant risk of exploitation.