ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
Description
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of @apostrophecms/import-export, The extract() function in gzip.js constructs file-write paths using fs.createWriteStream(path.join(exportPath, header.name)). path.join() does not resolve or sanitise traversal segments such as ../. It concatenates them as-is, meaning a tar entry named ../../evil.js resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted .tar.gz file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of @apostrophecms/import-export fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ApostropheCMS import-export package prior to 3.5.3 allows authenticated users with Global Content Modify permission to write arbitrary files via a Zip Slip path traversal in gzip extraction.
Vulnerability
Overview
The extract() function in gzip.js of the @apostrophecms/import-export package constructs file-write paths using fs.createWriteStream(path.join(exportPath, header.name)). The path.join() method does not sanitize traversal segments such as ../, so a tar entry named ../../evil.js resolves to a path outside the intended extraction directory. No canonical-path check is performed before opening the write stream, resulting in a classic Zip Slip vulnerability (CWE-22) [1].
Exploitation
Prerequisites
Any user with the Global Content Modify permission—a role routinely assigned to content editors and site managers—can exploit this flaw. The attacker uploads a crafted .tar.gz file through the standard CMS import UI. The extraction process then writes attacker-controlled content to any path the Node.js process can access on the host filesystem [1].
Impact
Successful exploitation enables arbitrary file write, which can lead to remote code execution (e.g., overwriting application files), website defacement by writing to the static web directory (public/), or injection of malicious assets. The CVSS v3.1 score is 9.1 (Critical) with a network attack vector, low complexity, and no user interaction required beyond the initial authenticated upload [1].
Mitigation
The vulnerability is fixed in version 3.5.3 of @apostrophecms/import-export. Users should update immediately. No workarounds are documented; the fix involves proper path sanitization and canonical-path validation before writing extracted files [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@apostrophecms/import-exportnpm | < 3.5.3 | 3.5.3 |
Affected products
2- Range: <3.5.3
- apostrophecms/import-exportv5Range: < 3.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/advisories/GHSA-mwxc-m426-3f78ghsaADVISORY
- github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.