CVE-2026-30973 is a path traversal vulnerability classified under CWE-22 found in the @appium/support package used by the Appium automation framework. Appium supports WebDriver-based automation across multiple platforms and relies on this package for ZIP file extraction. The vulnerable function, extractAllTo() (via ZipExtractor.extract()), attempts to prevent path traversal attacks by checking for '../' sequences in ZIP entry paths. However, the check implemented at line 88 in packages/support/lib/zip.js is flawed: it creates an Error object when a path traversal is detected but does not throw it, allowing the extraction process to continue unchecked. Consequently, an attacker can craft a malicious ZIP archive containing entries with '../' components that escape the intended extraction directory and overwrite arbitrary files on the host filesystem. This vulnerability affects all JS-based extraction code paths, not just those using the fileNamesEncoding option, broadening the attack surface. Exploitation requires the victim to extract a malicious ZIP archive, which may occur during automated testing or CI/CD pipelines using Appium versions before 7.0.6. The vulnerability does not require authentication but does require user interaction to trigger extraction. The CVSS 3.1 score is 6.5, reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. No public exploits have been reported yet. The issue was addressed and fixed in version 7.0.6 of @appium/support by properly throwing the error to halt extraction when path traversal is detected.

The primary impact of CVE-2026-30973 is on the integrity of affected systems. Successful exploitation allows an attacker to overwrite arbitrary files on the host filesystem by extracting a malicious ZIP archive with crafted path traversal entries. This can lead to modification or replacement of critical files, potentially enabling code execution, privilege escalation, or disruption of Appium automation workflows. Since Appium is widely used for automated testing across diverse platforms, compromised integrity could affect software development pipelines, continuous integration environments, and testing infrastructure globally. Although confidentiality and availability impacts are not directly indicated, the ability to overwrite files can indirectly cause denial of service or data corruption. The vulnerability is exploitable remotely over the network if an attacker can convince a user or automated system to extract a malicious ZIP file. The requirement for user interaction or automated extraction limits mass exploitation but targeted attacks against organizations relying on Appium automation are plausible. The lack of known exploits in the wild reduces immediate risk but patching is critical to prevent future exploitation. Organizations using vulnerable versions of @appium/support are at risk of unauthorized file modification and should treat this vulnerability seriously due to its potential to undermine development and testing integrity.

To mitigate CVE-2026-30973, organizations should immediately upgrade the @appium/support package to version 7.0.6 or later, where the path traversal check is properly enforced by throwing an error to stop extraction. Until upgrading is possible, users should avoid extracting ZIP archives from untrusted or unauthenticated sources within Appium workflows. Implement additional validation of ZIP file contents before extraction, such as manually verifying that no entry paths contain '../' sequences or absolute paths. Employ runtime monitoring and file integrity checking on systems running Appium to detect unauthorized file modifications. Restrict permissions of the directories used for ZIP extraction to minimize the impact of potential path traversal. Incorporate security scanning of dependencies in CI/CD pipelines to detect vulnerable package versions proactively. Educate developers and DevOps teams about the risks of extracting untrusted archives and enforce policies to prevent use of vulnerable versions. Finally, monitor security advisories and threat intelligence feeds for any emerging exploits targeting this vulnerability to respond promptly.