CVE-2026-30973 is a path traversal vulnerability classified under CWE-22 found in the @appium/support package, specifically in the ZIP extraction implementation extractAllTo() via ZipExtractor.extract(). In versions prior to 7.0.6, the function attempts to prevent path traversal attacks by checking for '../' sequences in ZIP entry paths. However, the check is flawed: it creates an Error object when a suspicious path is detected but fails to throw it, allowing the extraction process to continue unchecked. This enables an attacker to craft malicious ZIP archives containing entries with '../' components that escape the intended extraction directory and write files to arbitrary locations on the filesystem. Since @appium/support is widely used in Appium, a popular automation framework for WebDriver-based testing across multiple platforms, this vulnerability affects all JavaScript-based ZIP extractions using the default code path, regardless of the fileNamesEncoding option. Exploitation requires an attacker to supply a malicious ZIP file and induce its extraction by the victim, implying user interaction is necessary. The vulnerability does not require prior authentication and can lead to integrity violations by overwriting critical files, but it does not directly impact confidentiality or availability. The CVSS 3.1 score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. The vulnerability was published on March 10, 2026, and fixed in version 7.0.6 of @appium/support. No known exploits have been reported in the wild as of now.

The primary impact of CVE-2026-30973 is the potential for an attacker to overwrite arbitrary files on a victim's system by exploiting the path traversal flaw during ZIP extraction. This can lead to integrity compromise of the host system, including overwriting configuration files, scripts, or binaries, potentially enabling further code execution or system compromise. Since Appium is used for automation testing across various platforms, compromised test environments could lead to unreliable test results or serve as a foothold for lateral movement within development or CI/CD infrastructure. The lack of confidentiality or availability impact limits the scope to integrity, but the ability to write arbitrary files can have severe consequences depending on the environment and the privileges of the process performing extraction. Organizations relying on Appium for automated testing, especially those integrating ZIP files from untrusted sources or third-party plugins, are at risk. The requirement for user interaction reduces the risk of automated exploitation but does not eliminate it, especially in environments where automated pipelines process ZIP files. The absence of known exploits in the wild suggests limited active targeting currently, but the vulnerability's medium severity and ease of exploitation warrant prompt remediation.

To mitigate CVE-2026-30973, organizations should upgrade @appium/support to version 7.0.6 or later, where the path traversal check is correctly implemented and enforced. Until the upgrade is applied, avoid extracting ZIP files from untrusted or unauthenticated sources within Appium workflows. Implement additional validation of ZIP archive contents before extraction, such as verifying that no entry paths contain '../' sequences or absolute paths. Employ sandboxing or containerization for environments running Appium to limit the impact of potential arbitrary file writes. Monitor file system changes in directories used for ZIP extraction to detect suspicious activity. Incorporate static code analysis or dependency scanning tools in CI/CD pipelines to detect vulnerable versions of @appium/support. Educate developers and testers about the risks of processing untrusted ZIP files and enforce strict source validation policies. Finally, consider runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous file system modifications during test automation runs.