Plataforma
nodejs
Componente
node.js
Corrigido em
3.5.4
3.5.4
CVE-2026-32731 describes a critical Zip Slip vulnerability discovered in the @apostrophecms/import-export module, a component of the ApostropheCMS content management framework. This flaw allows attackers to write files to arbitrary locations on the server, potentially leading to code execution and complete system compromise. The vulnerability affects versions of @apostrophecms/import-export prior to 3.5.3, and a fix is available in version 3.5.3.
The Zip Slip vulnerability arises from insufficient path sanitization within the extract() function of gzip.js. Specifically, the code constructs file write paths by concatenating user-supplied filenames (from a tar archive) with the intended export directory. Malicious actors can craft tar entries with filenames containing traversal sequences like ../../, effectively bypassing the intended directory restriction. This allows them to write files to locations outside the export directory, such as overwriting critical system files or injecting malicious code into web-accessible directories. The potential impact is severe, ranging from website defacement and data theft to complete server takeover. This vulnerability shares similarities with other Zip Slip exploits, highlighting the importance of robust path validation when handling user-provided filenames.
CVE-2026-32731 was publicly disclosed on 2026-03-18. The vulnerability is considered high probability due to its relatively simple exploitation mechanism and the widespread use of ApostropheCMS. No public proof-of-concept exploits have been released at the time of writing, but the vulnerability's nature makes it likely that such exploits will emerge. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Active campaigns targeting ApostropheCMS installations are possible.
ApostropheCMS installations using @apostrophecms/import-export versions prior to 3.5.3 are at risk. This includes developers and system administrators who manage ApostropheCMS deployments, particularly those who allow users to upload files via the import-export functionality. Shared hosting environments running ApostropheCMS are also at increased risk, as a compromised user account could potentially exploit this vulnerability to gain access to the entire server.
• nodejs / server:
find /path/to/node_modules/@apostrophecms/import-export/gzip.js -exec grep -i 'path.join(exportPath, header.name)' {}• linux / server:
journalctl -f -u node | grep -i "extract()"• generic web:
curl -I http://your-apostrophe-site.com/import-export/upload.php?file=../../evil.txtdisclosure
patch
Status do Exploit
EPSS
0.07% (percentil 22%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-32731 is to immediately upgrade @apostrophecms/import-export to version 3.5.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by adding strict path validation to the extract() function. This could involve using path.resolve() to canonicalize the file path and ensuring it remains within the intended export directory. Additionally, configure a Web Application Firewall (WAF) to block requests containing suspicious filenames with traversal sequences. Monitor system logs for unusual file creation activity within the export directory. After upgrading, confirm the fix by attempting to import a test archive containing a malicious filename (e.g., ../../evil.txt) and verifying that the file is not written outside the intended directory.
Atualize o módulo `@apostrophecms/import-export` para a versão 3.5.3 ou superior. Isso corrige a vulnerabilidade de escrita arbitrária de arquivos (Zip Slip / Path Traversal) durante a extração de arquivos Gzip no processo de importação-exportação. A atualização impede que usuários maliciosos escrevam arquivos fora do diretório de destino previsto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-32731 is a critical Zip Slip vulnerability in the @apostrophecms/import-export module, allowing attackers to write files outside the intended export directory, potentially leading to code execution.
You are affected if you are using @apostrophecms/import-export versions prior to 3.5.3. Immediately assess your deployments.
Upgrade to @apostrophecms/import-export version 3.5.3 or later. If immediate upgrade is not possible, implement temporary path validation workarounds.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest active exploitation is possible.
Refer to the official ApostropheCMS security advisory for detailed information and updates: [https://apostrophecms.com/security/advisories](https://apostrophecms.com/security/advisories)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.