{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30973", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.816Z", "datePublished": "2026-03-10T17:33:41.009Z", "dateUpdated": "2026-03-12T14:25:09.401Z"}, "containers": {"cna": {"title": "Zip Slip arbitrary file write in @appium/support ZIP extraction", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m"}, {"name": "https://github.com/appium/appium/releases/tag/@appium/support@7.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/appium/appium/releases/tag/@appium/support@7.0.6"}], "affected": [{"vendor": "@appium", "product": "support", "versions": [{"version": "< 7.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:33:41.009Z"}, "descriptions": [{"lang": "en", "value": "Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6."}], "source": {"advisory": "GHSA-rfx7-4xw3-gh4m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:25:05.507604Z", "id": "CVE-2026-30973", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:25:09.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30973", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:25:05.507604Z"}}}], "references": [{"url": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:24:52.901Z"}}], "cna": {"title": "Zip Slip arbitrary file write in @appium/support ZIP extraction", "source": {"advisory": "GHSA-rfx7-4xw3-gh4m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "@appium", "product": "support", "versions": [{"status": "affected", "version": "< 7.0.6"}]}], "references": [{"url": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m", "name": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/appium/appium/releases/tag/@appium/support@7.0.6", "name": "https://github.com/appium/appium/releases/tag/@appium/support@7.0.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:33:41.009Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30973", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:25:09.401Z", "dateReserved": "2026-03-07T17:53:48.816Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T17:33:41.009Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:appium:appium\\/support:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "313A3505-82B8-449D-9A9A-8E74F86B76C0", "versionEndExcluding": "7.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6."}, {"lang": "es", "value": "Appium es un framework de automatizaci\u00f3n que proporciona posibilidades de automatizaci\u00f3n basadas en WebDriver para una amplia gama de plataformas. Antes de la versi\u00f3n 7.0.6, @appium/support contiene una implementaci\u00f3n de extracci\u00f3n ZIP (extractAllTo() a trav\u00e9s de ZipExtractor.extract()) con una verificaci\u00f3n de salto de ruta (Zip Slip) que no es funcional. La verificaci\u00f3n en la l\u00ednea 88 de packages/support/lib/zip.js crea un objeto Error pero nunca lo lanza, permitiendo que entradas ZIP maliciosas con componentes de ruta ../ escriban archivos fuera del directorio de destino previsto. Esto afecta a todas las extracciones basadas en JS (la ruta de c\u00f3digo predeterminada), no solo a aquellas que utilizan la opci\u00f3n fileNamesEncoding. Esta vulnerabilidad se corrige en la versi\u00f3n 7.0.6."}], "id": "CVE-2026-30973", "lastModified": "2026-05-07T20:46:26.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:56.063", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/appium/appium/releases/tag/@appium/support@7.0.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "support", "source": "cna", "vendor": "@appium"}, "product": "support", "vendor": "appium"}], "analysis": {"en": {"generated_at": "2026-04-16T03:46:24.981197+00:00", "value": {"mitigation_remediation": ["Upgrade @appium/support to version 7.0.6 or later.", "If an upgrade is not immediately possible, restrict the use of ZipExtractor to trusted inputs or disable processing of arbitrary ZIP files.", "Verify that any custom wrappers around ZipExtractor implement proper path\u2011traversal checks before writing files."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write via Path Traversal"}, "threat_synthesis": {"affected_systems": "Any installation of @appium/support older than 7.0.6 is affected. All JavaScript\u2011based extraction paths in the library, not just those using the fileNamesEncoding option, are vulnerable. Projects that rely on Appium\u2019s default ZIP extraction logic will be exposed.", "description_and_impact": "Appium's support library contains a ZIP extraction routine that, before version 7.0.6, implements a non\u2011functional path\u2011traversal check. The routine creates an Error object when an entry includes a '../' component but never throws it, allowing the extraction to continue. An attacker can supply a malicious ZIP archive and cause the library to write arbitrary files outside the intended destination directory. That capability can lead to overwriting configuration or code files and potentially compromise application behavior or elevate privileges.", "risk_and_exploitability": "The CVSS score of 6.5 classifies the vulnerability as moderate. The EPSS score is below 1\u202f%, indicating a very low current exploitation probability, and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to supply a crafted ZIP file to the extraction routine, which may be possible through remote interfaces or when the library processes untrusted uploads. Successful exploitation would allow writing files outside the intended directory, potentially leading to privilege escalation if the process runs with elevated permissions."}}}}, "created": "2026-03-11T11:44:47.225564+00:00", "updated": "2026-04-16T04:00:09.424768+00:00", "vendors": ["appium", "appium$PRODUCT$support"]}