Plattform
nodejs
Komponente
node.js
Behoben in
3.5.4
3.5.4
CVE-2026-32731 describes a critical Zip Slip vulnerability discovered in the @apostrophecms/import-export module, a component of the ApostropheCMS content management framework. This flaw allows attackers to write files to arbitrary locations on the server, potentially leading to code execution and complete system compromise. The vulnerability affects versions of @apostrophecms/import-export prior to 3.5.3, and a fix is available in version 3.5.3.
The Zip Slip vulnerability arises from insufficient path sanitization during file extraction within the extract() function of gzip.js. Specifically, the code uses path.join() to construct file write paths without properly resolving or sanitizing traversal sequences like ../. Consequently, a malicious tar entry with a name like ../../evil.js can bypass the intended extraction directory and overwrite critical system files. This could allow an attacker to upload and execute arbitrary code, gain remote control of the server, and exfiltrate sensitive data. The impact is particularly severe given ApostropheCMS's use in managing content and potentially sensitive user data.
CVE-2026-32731 was publicly disclosed on 2026-03-18. The vulnerability exhibits characteristics similar to other Zip Slip vulnerabilities, such as the one affecting Apache Commons Compress. No public proof-of-concept exploits have been released as of this writing, but the vulnerability's severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring.
ApostropheCMS installations using @apostrophecms/import-export versions prior to 3.5.3 are at risk. This includes developers and system administrators who manage ApostropheCMS deployments, particularly those who allow users to upload files via the import-export functionality. Shared hosting environments running ApostropheCMS are also at increased risk, as a compromised user account could potentially exploit this vulnerability to gain access to the entire server.
• nodejs / server:
find /path/to/node_modules/@apostrophecms/import-export/gzip.js -exec grep -i 'path.join(exportPath, header.name)' {}• linux / server:
journalctl -f -u node | grep -i "extract()"• generic web:
curl -I http://your-apostrophe-site.com/import-export/upload.php?file=../../evil.txtdisclosure
patch
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32731 is to immediately upgrade @apostrophecms/import-export to version 3.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter file system permissions to limit the impact of a successful exploit. Additionally, implement input validation on all imported files to prevent the inclusion of malicious filenames containing traversal sequences. WAF rules can be configured to block requests containing suspicious filenames or file extensions. Monitor system logs for unusual file creation activity, particularly in unexpected directories.
Aktualisieren Sie das Modul `@apostrophecms/import-export` auf Version 3.5.3 oder höher. Dies behebt die Arbitrary File Write (Zip Slip / Path Traversal)-Schwachstelle während der Gzip-Datei-Extraktion im Import-Export-Prozess. Das Update verhindert, dass böswillige Benutzer Dateien außerhalb des vorgesehenen Zielverzeichnisses schreiben.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32731 is a critical Zip Slip vulnerability in the @apostrophecms/import-export module, allowing attackers to write files outside the intended export directory, potentially leading to code execution.
You are affected if you are using @apostrophecms/import-export versions prior to 3.5.3. Immediately assess your deployments.
Upgrade to @apostrophecms/import-export version 3.5.3 or later. If immediate upgrade is not possible, implement temporary path validation workarounds.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest active exploitation is possible.
Refer to the official ApostropheCMS security advisory for detailed information and updates: [https://apostrophecms.com/security/advisories](https://apostrophecms.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.