CVE-2026-30973
📋 TL;DR
Appium's ZIP extraction function contains a path traversal vulnerability where malicious ZIP files can write files outside the intended destination directory. The vulnerability exists because an error check is created but never thrown, allowing '../' path components to bypass security controls. This affects all Appium installations using the default JavaScript-based extraction functionality.
💻 Affected Systems
- Appium
- @appium/support
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via arbitrary file write, potentially leading to complete system compromise if malicious files are placed in executable locations.
Likely Case
Arbitrary file overwrite or creation in sensitive directories, potentially enabling privilege escalation or data corruption.
If Mitigated
Limited to file writes within the Appium process's permissions, potentially causing denial of service or data loss.
🎯 Exploit Status
Exploitation requires the ability to provide malicious ZIP files to the Appium extraction function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.6
Vendor Advisory: https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m
Restart Required: Yes
Instructions:
1. Update @appium/support to version 7.0.6 or higher. 2. Update Appium to version 7.0.6 or higher if using the full framework. 3. Restart all Appium services and processes.
🔧 Temporary Workarounds
Disable ZIP extraction functionality
allTemporarily disable or restrict ZIP file processing in Appium until patching is possible.
Implement external ZIP validation
allUse external tools to validate ZIP files before passing them to Appium's extraction functions.
🧯 If You Can't Patch
- Implement strict input validation for ZIP files before they reach Appium's extraction functions.
- Run Appium with minimal permissions and in isolated environments to limit potential damage from exploitation.
🔍 How to Verify
Check if Vulnerable:
Check if @appium/support version is below 7.0.6 using npm list @appium/support or check package.json.Check Version:
npm list @appium/support --depth=0Verify Fix Applied:
Verify @appium/support version is 7.0.6 or higher and test ZIP extraction with malicious path components to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Failed ZIP extraction attempts
- Unexpected file write operations outside expected directories
- Error messages related to path traversal
Network Indicators:
- Unusual ZIP file uploads to Appium endpoints
- Suspicious file transfer patterns
SIEM Query:
source="appium" AND ("ZIP" OR "extract" OR "path traversal")