Public March 9, 2026
Appium ZIP Extraction Flaw Reopens Zip Slip Arbitrary File Write
BugBunny.ai discovered that Appium’s JavaScript ZIP extraction path intended to block directory traversal but forgot to actually throw the error it constructed. A malicious ZIP archive could therefore write files outside the chosen extraction directory and chain into more serious compromise paths.
TL;DR
Attackers can write files outside the extraction target anywhere the Appium process has write access.
Malicious ZIP entry names supplied to @appium/support ZIP extraction.
@appium/support releases up to and including 7.0.5.
Published and fixed in @appium/support 7.0.6.
Root Cause
The traversal check calculated whether the destination path escaped the intended directory, but the code instantiated a new Error object without the throw keyword. Execution therefore continued even after detecting a malicious path.
Because the default JavaScript extraction path handled user-controlled archive contents, crafted filenames such as ../ sequences could escape the extraction root and create or overwrite arbitrary files. The same code path also opened the door to attacker-controlled symlink creation.
Product
@appium/support
Affected
<= 7.0.5
Patched
7.0.6
Weaknesses
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Mitigation
- Upgrade to @appium/support 7.0.6 or later.
- Apply traversal validation in every extraction helper, not just one call path.
- Treat ZIP contents as untrusted input and reject archives containing parent-directory segments or suspicious symlinks.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-rfx7-4xw3-gh4m after fixes landed in Appium support.