GHSA-rfx7-4xw3-gh4m: @appium/support has a Zip Slip arbitrary file write in its ZIP extraction
mediumvulnerability
security
Summary
The `@appium/support` library has a bug in its ZIP file extraction code that fails to prevent Zip Slip attacks (a vulnerability where malicious ZIP files use `../` path components to write files outside the intended folder). The security check creates an error message but never throws it, so malicious ZIP entries can write files anywhere the Appium process has permission to write. This affects all JavaScript-based ZIP extractions by default.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
March 10, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Affected Vendors
LangChain
Affected Packages
@appium/support@<= 7.0.5 (fixed: 7.0.6)
Related Issues
Original source: https://github.com/advisories/GHSA-rfx7-4xw3-gh4m
First tracked: March 11, 2026 at 12:00 AM
Classified by LLM (prompt v3) · confidence: 75%