Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30973 is a path traversal (Zip Slip) vulnerability in the npm package @appium/support, specifically in its ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()).'}, {'type': 'paragraph', 'content': 'A critical path traversal check intended to prevent writing files outside the target directory is non-functional because an Error object is created but never thrown at line 88 in packages/support/lib/zip.js. This allows malicious ZIP entries containing "../" components to write arbitrary files or create symlinks outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'The vulnerability affects all JavaScript-based extractions using ZipExtractor, regardless of the fileNamesEncoding option, because the underlying yauzl library does not provide path traversal protection.'}, {'type': 'paragraph', 'content': 'The extractEntry() method writes files and symlinks to attacker-controlled paths without validation, and the _extractEntryTo() function used by readEntries() lacks any traversal checks.'}, {'type': 'paragraph', 'content': 'The default extraction code path is vulnerable unless the system unzip fallback (useSystemUnzip: true) is explicitly enabled, which only protects if the system unzip binary succeeds.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to write arbitrary files or create symlinks outside the intended extraction directory anywhere writable by the Appium process.

Such arbitrary file writes can enable potential remote code execution by overwriting scripts, configuration files, or executable artifacts.

The impact is primarily on integrity, as attackers can modify or inject malicious files, but there is no direct confidentiality or availability impact.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves a non-functional path traversal check in the ZIP extraction implementation of the @appium/support package, allowing malicious ZIP entries with '../' components to write files outside the intended directory."}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unexpected file writes or symlink creations outside of expected extraction directories by the Appium process.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the JavaScript extraction code, one practical approach is to check the version of @appium/support in use and verify if it is prior to 7.0.6, which is vulnerable.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the resources, but you can use commands to check the installed package version, for example:'}, {'type': 'list_item', 'content': 'npm list @appium/support'}, {'type': 'list_item', 'content': "grep -r 'extractAllTo' node_modules/@appium/support/lib/zip.js"}, {'type': 'paragraph', 'content': "Additionally, monitoring file system changes during ZIP extraction for unexpected file paths containing '../' components or files created outside the extraction directory could help detect exploitation attempts."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the @appium/support package to version 7.0.6 or later, where the path traversal vulnerability is fixed by adding the missing throw keyword and enhancing path traversal checks.

If upgrading immediately is not possible, a temporary workaround is to enable the system unzip fallback by setting useSystemUnzip: true, which relies on the system unzip binary that is not vulnerable to this issue.

For defense-in-depth, adding additional path traversal validation in custom extraction code or restricting file system permissions to limit where Appium can write files can reduce risk.

Useful 0 Not Useful 0