Skip to main content

Appium Support CVE-2026-30973

MEDIUM
Path Traversal (CWE-22)
2026-03-10 security-advisories@github.com GHSA-rfx7-4xw3-gh4m
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 10, 2026 - 18:18 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.

AnalysisAI

Appium's ZIP extraction function in @appium/support versions prior to 7.0.6 fails to properly enforce path traversal protections, allowing attackers to extract malicious ZIP files that write arbitrary files outside the intended directory. The vulnerability stems from an Error object that is created but never thrown, enabling Zip Slip attacks across all JavaScript-based extraction operations. An attacker can exploit this by crafting a malicious ZIP archive to overwrite sensitive files on systems using affected versions.

Technical ContextAI

This vulnerability (CWE-22: Path Traversal) affects Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms.. Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination di

RemediationAI

Fixed in version 7.0.6.. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

Share

CVE-2026-30973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy