Zip Slip logo

Security researchers have disclosed today details about a critical vulnerability impacting open source coding libraries that handle archived files.

Discovered by the researchers from Snyk, the "Zip Slip" vulnerability is an issue in the way coders, plugins, and libraries have implemented the process of decompressing an archived file.

Numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z, are affected, meaning this is more of a theoretical issue, rather than a specific coding bug.

Wiz

Vulnerability leads to files being unzipped in the wrong places

According to researchers, Zip Slip is a combination between an "arbitrary file overwrite" and "directory traversal" issues that can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files, such as critical OS libraries or server configuration files.

"The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking," the Snyk team said today in a security advisory.

Researchers said they found this flaw in April, and they have been working with the maintainers of several open-source libraries that were vulnerable to this attack.

Multiple open-source libraries affected

The Snyk team has published a list of libraries affected by Zip Slip on GitHub.

While libraries written in several programming languages are known to be affected —such as JavaScript, Python, Ruby, .NET, Go, and Groovy—, the issue mainly affects the Java ecosystem because there's no official library recommended for handling archived files.

Instead, developers have created and used an assortment of libraries for this purpose, most of which are vulnerable to Zip Slip. Furthermore, the issue is so widespread that even some of the code shared on StackOverflow was found to be vulnerable to Zip Slip, meaning that many desktop, mobile, or web apps written in Java may be vulnerable to Zip Slip without developers even knowing.

To help developers understand the Zip Slip attack and aid them in detecting if their apps are vulnerable, the Snyk team has published a technical paper detailing the Zip Slip bug in much more depth.

Researchers have also published proof-of-concept Zip Slip archives so developers can test their apps for the vulnerability. A demo video is also available below.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

MongoDB warns admins to patch severe vulnerability immediately

FBI and CISA warn of state hackers attacking Fortinet FortiOS servers

Learn Python, C++, and more with this $25 all-in-one coding bundle

Malicious npm package steals WhatsApp accounts and messages

Critical RCE flaw impacts over 115,000 WatchGuard firewalls