10.0 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.
References
Affected products
- ==< 3.5.3
Matching in nixpkgs
pkgs.azure-cli-extensions.import-export
Microsoft Azure Command-Line Tools StorageImportExport Extension
pkgs.python312Packages.django-import-export
Django application and library for importing and exporting data with admin integration
pkgs.python313Packages.django-import-export
Django application and library for importing and exporting data with admin integration
pkgs.python314Packages.django-import-export
Django application and library for importing and exporting data with admin integration
Package maintainers
-
@katexochen Paul Meyer <katexochen0@gmail.com>
-
@ulrikstrid Ulrik Strid <ulrik.strid@outlook.com>
-
@sephii Sylvain Fankhauser <sephi@fhtagn.top>