CVE-2026-30973
Path Traversal in Appium @appium/support ZIP Extraction
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| appium | appium_support | 7.0.6 |
| appium | appium | to 7.0.6 (exc) |
| appium | support | to 7.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30973 is a path traversal (Zip Slip) vulnerability in the npm package @appium/support, specifically in its ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()).'}, {'type': 'paragraph', 'content': 'A critical path traversal check intended to prevent writing files outside the target directory is non-functional because an Error object is created but never thrown at line 88 in packages/support/lib/zip.js. This allows malicious ZIP entries containing "../" components to write arbitrary files or create symlinks outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'The vulnerability affects all JavaScript-based extractions using ZipExtractor, regardless of the fileNamesEncoding option, because the underlying yauzl library does not provide path traversal protection.'}, {'type': 'paragraph', 'content': 'The extractEntry() method writes files and symlinks to attacker-controlled paths without validation, and the _extractEntryTo() function used by readEntries() lacks any traversal checks.'}, {'type': 'paragraph', 'content': 'The default extraction code path is vulnerable unless the system unzip fallback (useSystemUnzip: true) is explicitly enabled, which only protects if the system unzip binary succeeds.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to write arbitrary files or create symlinks outside the intended extraction directory anywhere writable by the Appium process.
Such arbitrary file writes can enable potential remote code execution by overwriting scripts, configuration files, or executable artifacts.
The impact is primarily on integrity, as attackers can modify or inject malicious files, but there is no direct confidentiality or availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves a non-functional path traversal check in the ZIP extraction implementation of the @appium/support package, allowing malicious ZIP entries with '../' components to write files outside the intended directory."}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unexpected file writes or symlink creations outside of expected extraction directories by the Appium process.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the JavaScript extraction code, one practical approach is to check the version of @appium/support in use and verify if it is prior to 7.0.6, which is vulnerable.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the resources, but you can use commands to check the installed package version, for example:'}, {'type': 'list_item', 'content': 'npm list @appium/support'}, {'type': 'list_item', 'content': "grep -r 'extractAllTo' node_modules/@appium/support/lib/zip.js"}, {'type': 'paragraph', 'content': "Additionally, monitoring file system changes during ZIP extraction for unexpected file paths containing '../' components or files created outside the extraction directory could help detect exploitation attempts."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the @appium/support package to version 7.0.6 or later, where the path traversal vulnerability is fixed by adding the missing throw keyword and enhancing path traversal checks.
If upgrading immediately is not possible, a temporary workaround is to enable the system unzip fallback by setting useSystemUnzip: true, which relies on the system unzip binary that is not vulnerable to this issue.
For defense-in-depth, adding additional path traversal validation in custom extraction code or restricting file system permissions to limit where Appium can write files can reduce risk.