ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
Description
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of @apostrophecms/import-export, The extract() function in gzip.js constructs file-write paths using fs.createWriteStream(path.join(exportPath, header.name)). path.join() does not resolve or sanitise traversal segments such as ../. It concatenates them as-is, meaning a tar entry named ../../evil.js resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted .tar.gz file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of @apostrophecms/import-export fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@apostrophecms/import-exportnpm | < 3.5.3 | 3.5.3 |
Affected products
2- apostrophecms/import-exportv5Range: < 3.5.3
Patches
Vulnerability mechanics
References
2- github.com/advisories/GHSA-mwxc-m426-3f78ghsaADVISORY
- github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.