A critical Zip Slip vulnerability in ApostropheCMS allows authenticated editors to overwrite system files and achieve remote code execution by uploading malicious archives.

The extract() function in gzip.js uses path.join() without sanitizing ../ segments in tar entry names. This allows an authenticated user with "Global Content Modify" permissions to upload a .tar.gz file that writes content to any path accessible by the Node.js process.

This vulnerability is assigned a CVSS score of 9.9. While it requires authentication, the "Global Content Modify" role is commonly held by many staff members. A successful exploit allows for host-level code execution, permanent data loss via file overwriting, and full server compromise, leading to total operational disruption.

Immediate Action: Update the @apostrophecms/import-export package to version 3.5.3 or higher immediately.

Proactive Monitoring: Review CMS upload logs for .tar.gz files and audit the filesystem for any unexpected files created in system directories or application source folders.

Compensating Controls: Ensure the Node.js process runs with the least possible filesystem privileges and implement a WAF to inspect archive contents if possible, though patching is the only reliable fix.

Public Exploit Available: false

Given the CVSS score of 9.9, this is the most critical vulnerability in this batch. Organizations must update their ApostropheCMS dependencies immediately to prevent a catastrophic compromise of the host environment.