@appium/support has a Zip Slip arbitrary file write in its ZIP extraction
- Severity:
- Medium
Description
@appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory.
Recommendation
Update the @appium/support package to the latest compatible version. Followings are version details:
- Affected version(s): <= 7.0.5
- Patched version(s): 7.0.6
References
Related Issues
- ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
You might also like:
- Tags:
- npm
- @appium/support
Anything's wrong? Let us know Last updated on March 11, 2026