CVE-2026-32731 Overview
CVE-2026-32731 is a critical Path Traversal vulnerability (Zip Slip) affecting ApostropheCMS, an open-source content management framework. Prior to version 3.5.3 of the @apostrophecms/import-export module, the extract() function in gzip.js fails to sanitize file paths when extracting tar archives, allowing authenticated attackers to write arbitrary files to the host filesystem.
Critical Impact
Authenticated users with Global Content Modify permissions can upload malicious .tar.gz files through the CMS import UI and write attacker-controlled content to any path accessible by the Node.js process, potentially leading to complete system compromise.
Affected Products
- ApostropheCMS @apostrophecms/import-export versions prior to 3.5.3
- ApostropheCMS deployments with import/export functionality enabled
- Systems where content editors or site managers have Global Content Modify permissions
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32731 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32731
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), commonly known as a "Zip Slip" vulnerability. The flaw exists in the archive extraction routine where user-supplied filenames from tar entries are not properly validated before being used to construct file write paths.
When a .tar.gz file is uploaded through the ApostropheCMS import interface, the extract() function in gzip.js processes each entry in the archive. The function uses fs.createWriteStream(path.join(exportPath, header.name)) to create output files, where header.name comes directly from the archive entry. The path.join() function does not resolve or sanitize traversal segments like ../, meaning it concatenates them as-is. Consequently, a malicious tar entry named ../../evil.js would resolve to a path outside the intended extraction directory.
No canonical-path check is performed before the write stream is opened, allowing attackers to escape the designated extraction directory and write files anywhere on the filesystem that the Node.js process has write permissions.
Root Cause
The root cause is the absence of input validation and path canonicalization when constructing file paths from archive entries. The path.join() function, while useful for concatenating path segments, does not provide any security guarantees against directory traversal. The vulnerable code trusts the header.name value from the archive without verifying that the resulting path remains within the intended extraction directory.
A secure implementation would resolve the final path using path.resolve() and then verify that it starts with the expected extraction directory prefix before allowing any file write operations.
Attack Vector
The attack can be executed remotely over the network by any authenticated user who has been granted the Global Content Modify permission. This permission level is routinely assigned to content editors and site managers, significantly expanding the potential attack surface within organizations using ApostropheCMS.
The attacker crafts a malicious .tar.gz archive containing entries with path traversal sequences (e.g., ../../.env, ../../../etc/cron.d/malicious). When this archive is uploaded through the standard CMS import interface, the extraction process writes attacker-controlled content to arbitrary filesystem locations. This could be leveraged to overwrite application configuration files, inject malicious code into web-accessible directories, or establish persistence mechanisms on the server.
Detection Methods for CVE-2026-32731
Indicators of Compromise
- Unexpected file creation or modification outside of the ApostropheCMS upload directories
- Presence of suspicious files in parent directories relative to the application root
- Anomalous tar archive uploads containing path traversal sequences (../)
- New or modified files in system directories matching timestamps of recent import operations
Detection Strategies
- Monitor file system activity from Node.js processes for writes outside expected directories
- Implement log analysis rules to detect tar archive uploads with suspicious entry names
- Configure intrusion detection systems to alert on directory traversal patterns in uploaded files
- Review web application logs for import operations followed by unexpected system changes
Monitoring Recommendations
- Enable detailed audit logging for all CMS import/export operations
- Deploy file integrity monitoring on critical system directories and application files
- Implement real-time alerting for file creation events in sensitive paths by web application processes
- Regularly review users with Global Content Modify permissions and audit their import activity
How to Mitigate CVE-2026-32731
Immediate Actions Required
- Upgrade @apostrophecms/import-export to version 3.5.3 or later immediately
- Review recent import operations for signs of exploitation
- Audit the filesystem for unexpected file modifications, particularly outside application directories
- Temporarily restrict Global Content Modify permissions to essential personnel only
Patch Information
ApostropheCMS has released version 3.5.3 of the @apostrophecms/import-export module which addresses this vulnerability. Organizations should update their dependencies immediately using their package manager. Additional details are available in the GitHub Security Advisory.
Workarounds
- Disable the import/export module entirely if not required for business operations
- Implement network-level restrictions to limit access to CMS administrative functions
- Apply filesystem permissions to restrict write access from the Node.js process
- Deploy a web application firewall rule to inspect and block malicious archive uploads
# Example: Update the vulnerable package
npm update @apostrophecms/import-export@3.5.3
# Verify the installed version
npm list @apostrophecms/import-export
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
