CVE-2026-30973

MEDIUM 6.5

Zip Slip arbitrary file write in @appium/support ZIP extraction

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.

CWE	CWE-22
Vendor	@appium
Product	support
Published	Mar 10, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for @appium support

Be the first to know when new medium vulnerabilities affecting @appium support are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

@appium / support

< 7.0.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/appium/appium/security/advisories/GHSA-rfx7-4xw3-gh4m github.com: https://github.com/appium/appium/releases/tag/@appium/[email protected]