Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Unauthenticated network endpoint with no interaction (AV:N/AC:L/PR:N/UI:N); traversal escapes the plugin boundary (S:C) and recursive deletion destroys data, so I:H and A:H, with C:N as no data is read.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.
AnalysisAI
Unauthenticated arbitrary file/directory deletion in the Appium storage plugin (versions prior to 1.1.6) allows a remote client to recursively delete writable files outside the storage root via the POST /storage/delete endpoint. The handler feeds the user-supplied name into path.join(storageRoot, name) and fs.rimraf() without sanitization, so ../ sequences escape the intended directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Appium storage plugin must be installed and enabled (it is an optional plugin, not core Appium), and the Appium server's HTTP interface must be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, base 8.6) signals a genuinely easy attack: network-reachable, no authentication, no user interaction, low complexity, with a scope change reflecting that deletion reaches files outside the plugin's security boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the Appium HTTP server (for example an Appium/CI host inadvertently exposed to a shared or internet-facing network) sends a single crafted POST /storage/delete request with a name value containing ../ sequences pointing at build artifacts, config files, or other writable data. With AV:N/AC:L/PR:N/UI:N, no credentials or victim interaction are needed, and fs.rimraf() recursively wipes the targeted path. … |
| Remediation | Vendor-released patch: upgrade @appium/storage-plugin to version 1.1.6 or later (advisory GHSA-jwgx-mp9m-jwcr; release https://github.com/appium/appium/releases/tag/@appium/storage-plugin@1.1.6). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Inventory all systems running Appium storage plugin versions prior to 1.1.6; implement firewall or network segmentation rules to restrict access to the POST /storage/delete endpoint to authorized internal networks only; enable endpoint logging and alerting. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42424