CVE-2026-30973 Overview
A path traversal vulnerability (Zip Slip) exists in Appium's @appium/support package prior to version 7.0.6. The ZIP extraction implementation in extractAllTo() via ZipExtractor.extract() contains a non-functional path traversal security check. The vulnerability allows malicious ZIP entries containing ../ path components to write files outside the intended destination directory, potentially enabling arbitrary file writes on the affected system.
Critical Impact
Attackers can craft malicious ZIP archives to overwrite arbitrary files on systems running vulnerable versions of Appium, potentially leading to code execution or system compromise.
Affected Products
- @appium/support versions prior to 7.0.6
- Appium automation framework using JS-based extraction code paths
- Applications utilizing the extractAllTo() or ZipExtractor.extract() functions
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30973 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30973
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal) and specifically manifests as a "Zip Slip" attack vector. The flaw exists in the ZIP extraction implementation within packages/support/lib/zip.js. At line 88, the security check designed to prevent path traversal attacks creates an Error object but critically fails to throw it. This programming oversight renders the entire path traversal protection mechanism ineffective.
The vulnerability affects all JavaScript-based extractions, which represent the default code path in Appium. This means the exposure is not limited to edge cases using specific options like fileNamesEncoding, but rather impacts the standard operation of the ZIP extraction functionality.
Root Cause
The root cause is a coding error where an Error object is instantiated but never thrown. The intended security check at line 88 of packages/support/lib/zip.js was designed to detect and reject ZIP entries containing path traversal sequences like ../. However, because the error is created but not thrown, execution continues normally, allowing malicious entries to be extracted to arbitrary locations outside the intended directory.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious ZIP archive containing entries with specially crafted filenames that include directory traversal sequences (e.g., ../../../../etc/cron.d/malicious). When this ZIP file is processed by a vulnerable Appium installation using the extractAllTo() or ZipExtractor.extract() functions, the malicious files are written to locations outside the intended extraction directory.
The attack requires network access and user interaction (such as processing an attacker-supplied ZIP file). This is particularly concerning in automation testing environments where test artifacts or plugins may be distributed as ZIP archives.
The vulnerability mechanism centers on the flawed security check in the ZIP extraction routine. When a ZIP entry is processed, the code attempts to validate the extraction path but fails to enforce the check due to the missing throw statement. Detailed technical information is available in the GitHub Security Advisory.
Detection Methods for CVE-2026-30973
Indicators of Compromise
- Presence of unexpected files in system directories (e.g., /etc/cron.d/, /tmp/, web server roots)
- Modified configuration files or scripts outside of normal application directories
- ZIP extraction operations targeting sensitive system paths in application logs
- Anomalous file creation events with paths containing resolved ../ sequences
Detection Strategies
- Monitor file system events for file creation operations outside expected extraction directories during ZIP processing
- Implement application-level logging to capture ZIP extraction paths and flag entries containing path traversal sequences
- Scan dependencies for @appium/support versions prior to 7.0.6 using software composition analysis tools
- Review application logs for ZIP extraction activities with suspicious destination paths
Monitoring Recommendations
- Deploy file integrity monitoring on critical system directories that should not receive extracted content
- Implement runtime application self-protection (RASP) to detect path traversal attempts during ZIP extraction
- Set up alerts for npm package updates and security advisories related to Appium dependencies
- Monitor process behavior for unexpected file writes outside designated application directories
How to Mitigate CVE-2026-30973
Immediate Actions Required
- Upgrade @appium/support to version 7.0.6 or later immediately
- Audit any systems that have processed untrusted ZIP files for signs of compromise
- Review and restrict file system permissions on directories accessible to the Appium process
- Implement network-level controls to limit exposure of systems running vulnerable versions
Patch Information
The vulnerability has been addressed in @appium/support version 7.0.6. The fix ensures that the Error object created during path traversal detection is properly thrown, preventing malicious ZIP entries from being extracted to unauthorized locations. Users should upgrade to this version or later to remediate the vulnerability.
For detailed release information, see the GitHub Release Note.
Workarounds
- Validate all ZIP archives before extraction by scanning for entries containing ../ path components
- Implement a pre-extraction check that rejects ZIP files with suspicious entry names
- Run Appium processes with minimal file system permissions using principle of least privilege
- Isolate Appium execution environments using containers or sandboxing to limit the impact of successful exploitation
# Update @appium/support to patched version
npm update @appium/support@7.0.6
# Verify installed version
npm list @appium/support
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
