Path Traversal Vulnerability in Appium's ZIP Extraction Implementation
CVE-2026-30973

6.5MEDIUM

Key Information:

Vendor

@appium

Status
Vendor
CVE Published:
10 March 2026

What is CVE-2026-30973?

Appium's automation framework is susceptible to a path traversal issue in the ZIP extraction functionality within the @appium/support package. The vulnerability, arising from a non-functional check in the extraction implementation, permits malicious ZIP entries containing '../' path components to potentially overwrite files outside of the specified directory. This flaw affects all JavaScript-based extractions, making it critical to update to version 7.0.6 where the issue is resolved. Users are advised to patch their installations to maintain security and data integrity.

Affected Version(s)

support < 7.0.6

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.