CVE-2026-30973

Name of the Vulnerable Software and Affected Versions Appium versions prior to 7.0.6

Description Appium, an automation framework, has an issue in its ZIP extraction implementation within the @appium/support package. The path traversal check (Zip Slip) in extractAllTo() via ZipExtractor.extract() is non-functional because an Error object is created but not thrown. This allows malicious ZIP files containing ../ path components to write files outside the intended destination directory. This impacts all JavaScript-based extractions, which is the default code path. The vulnerable code is located at line 88 of packages/support/lib/zip.js. The vulnerable function is ZipExtractor.extract(). The vulnerable parameter is the ZIP file itself.

Recommendations Update to Appium version 7.0.6 or later.