@appium/support has a Zip Slip arbitrary file write in its ZIP extraction
- Severity:
- Medium
Description
@appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory.
Recommendation
Update the @appium/support package to the latest compatible version. Followings are version details:
- Affected version(s): <= 7.0.5
- Patched version(s): 7.0.6
References
Related Issues
- ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
- Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
- webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle - CVE-2024-43373
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- Tags:
- npm
- @appium/support
Anything's wrong? Let us know Last updated on March 11, 2026