Platform
nodejs
Component
node.js
Fixed in
3.5.4
3.5.4
CVE-2026-32731 describes a critical Zip Slip vulnerability discovered in the @apostrophecms/import-export module, a component of the ApostropheCMS content management framework. This flaw allows attackers to write files to arbitrary locations on the server, potentially leading to code execution and complete system compromise. The vulnerability affects versions of @apostrophecms/import-export prior to 3.5.3, and a fix is available in version 3.5.3.
The Zip Slip vulnerability arises from insufficient path sanitization within the extract() function of gzip.js. Specifically, the code constructs file write paths by concatenating user-supplied filenames (from a tar archive) with the intended export directory. Malicious actors can craft tar entries with filenames containing traversal sequences like ../../, effectively bypassing the intended directory restriction. This allows them to write files to locations outside the export directory, such as overwriting critical system files or injecting malicious code into web-accessible directories. The potential impact is severe, ranging from website defacement and data theft to complete server takeover. This vulnerability shares similarities with other Zip Slip exploits, highlighting the importance of robust path validation when handling user-provided filenames.
CVE-2026-32731 was publicly disclosed on 2026-03-18. The vulnerability is considered high probability due to its relatively simple exploitation mechanism and the widespread use of ApostropheCMS. No public proof-of-concept exploits have been released at the time of writing, but the vulnerability's nature makes it likely that such exploits will emerge. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Active campaigns targeting ApostropheCMS installations are possible.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32731 is to immediately upgrade @apostrophecms/import-export to version 3.5.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by adding strict path validation to the extract() function. This could involve using path.resolve() to canonicalize the file path and ensuring it remains within the intended export directory. Additionally, configure a Web Application Firewall (WAF) to block requests containing suspicious filenames with traversal sequences. Monitor system logs for unusual file creation activity within the export directory. After upgrading, confirm the fix by attempting to import a test archive containing a malicious filename (e.g., ../../evil.txt) and verifying that the file is not written outside the intended directory.
Update the `@apostrophecms/import-export` module to version 3.5.3 or higher. This corrects the arbitrary file write vulnerability (Zip Slip / Path Traversal) during Gzip file extraction in the import-export process. The update prevents malicious users from writing files outside the intended destination directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32731 is a critical Zip Slip vulnerability in the @apostrophecms/import-export module, allowing attackers to write files outside the intended export directory, potentially leading to code execution.
You are affected if you are using @apostrophecms/import-export versions prior to 3.5.3. Immediately assess your deployments.
Upgrade to @apostrophecms/import-export version 3.5.3 or later. If immediate upgrade is not possible, implement temporary path validation workarounds.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest active exploitation is possible.
Refer to the official ApostropheCMS security advisory for detailed information and updates: [https://apostrophecms.com/security/advisories](https://apostrophecms.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.