0Xer3N

**Name of the Vulnerable Software and Affected Versions** ApostropheCMS versions prior to 3.5.3 @apostrophecms/import-export versions prior to 3.5.3 **Description** ApostropheCMS contains a Zip Slip vulnerability in the `extract()` function within `gzip.js`. The `path.join()` function does not sanitize or resolve traversal segments like `../`, allowing a crafted `.tar.gz` file uploaded through the CMS import UI to write attacker-controlled content to any path the Node.js process can access on the host filesystem. This is possible because the function constructs file-write paths without performing a canonical-path check before opening the write stream. Any user with Global Content Modify permission, a role routinely assigned to content editors and site managers, can exploit this issue. The vulnerability allows for arbitrary file write, potentially leading to site defacement, malicious asset injection, persistent backdoors, credential theft, and denial of service. The `extract()` function is located in `packages/import-export/lib/formats/gzip.js` lines 132–157. The vulnerability requires the 'Global Content Modify' permission. **Recommendations** Update to version 3.5.3 of `@apostrophecms/import-export` or later.