CVE-2026-32731

ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apostrophecms:import-export:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-18 23:17

Updated : 2026-03-24 21:31

NVD link : CVE-2026-32731

Mitre link : CVE-2026-32731

CVE.ORG link : CVE-2026-32731

JSON object : View

Products Affected

apostrophecms

import-export

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-32731", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2026-03-18T23:17:29.543", "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`,\nThe `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission \u2014 a role routinely assigned to content editors and site managers \u2014 can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue."}, {"lang": "es", "value": "ApostropheCMS es un framework de gesti\u00f3n de contenido de c\u00f3digo abierto. Antes de la versi\u00f3n 3.5.3 de `'@apostrophecms/import-export'`, la funci\u00f3n `'extract'`() en `'gzip.js'` construye rutas de escritura de archivos usando `'fs.createWriteStream(path.join(exportPath, header.name))'`. `'path.join'`() no resuelve ni sanitiza segmentos de recorrido como `'../'`. Los concatena tal cual, lo que significa que una entrada tar llamada `'../../evil.js'` se resuelve a una ruta fuera del directorio de extracci\u00f3n previsto. No se realiza ninguna comprobaci\u00f3n de ruta can\u00f3nica antes de que se abra el flujo de escritura. Esta es una vulnerabilidad Zip Slip de libro de texto. Cualquier usuario al que se le haya concedido el permiso de Modificar Contenido Global \u2014 un rol asignado rutinariamente a editores de contenido y administradores de sitios \u2014 puede cargar un archivo '.tar.gz' manipulado a trav\u00e9s de la interfaz de usuario de importaci\u00f3n est\u00e1ndar del CMS y escribir contenido controlado por el atacante en cualquier ruta que el proceso de Node.js pueda alcanzar en el sistema de archivos del host. La versi\u00f3n 3.5.3 de `'@apostrophecms/import-export'` soluciona el problema."}], "lastModified": "2026-03-24T21:31:54.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apostrophecms:import-export:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DC368091-4E2B-454F-BFA1-96EADD6524A9", "versionEndExcluding": "3.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}