Skip to main content
Bower's Zip Slip: When 2M Monthly Downloads Meet Archive Extraction FlawsIncident
4 min readFor Security Engineers

Bower's Zip Slip: When 2M Monthly Downloads Meet Archive Extraction Flaws

Critical Vulnerabilities in Bower

Security researchers have identified critical vulnerabilities in Bower, a web package manager, that allow attackers to write arbitrary files to the filesystem during archive extraction. These flaws affect both zip and tar.gz archive handling. Despite Bower being considered legacy technology, it still sees almost 2 million downloads per month, posing a significant supply chain risk.

The Bower maintainers released version 1.8.6 to address the zip vulnerability and version 1.8.8 for the tar.gz issue. The vulnerabilities were reported to the Node.js security working group, which coordinated the disclosure and patching process.

Vulnerability Timeline

The Zip Slip vulnerability class was first identified by Snyk's security research team in 2018. This pattern affects archive extraction across various ecosystems and languages.

The specific Bower vulnerabilities were discovered by security researchers and reported through the Node.js security working group's coordinated disclosure process. The maintainers responded with patches:

  • Version 1.8.6: Fixed zip archive extraction vulnerability
  • Version 1.8.8: Fixed tar.gz archive extraction vulnerability

Exact discovery and disclosure dates are not publicly documented.

Missing Security Controls

Dependency Security Review: Bower's vulnerability partly stemmed from its use of the decompress-zip dependency. This case shows the risks when third-party components introduce path traversal vulnerabilities that affect downstream consumers.

Input Validation on Archive Paths: The core failure was inadequate validation of file paths within compressed archives. Archive extraction code must ensure that extracted files remain within the intended target directory. Bower's implementation allowed malicious archives to specify paths like ../../../etc/cron.d/malicious-job, enabling attackers to write files anywhere on the filesystem with the privileges of the process running Bower.

Security Testing of Legacy Code: Legacy tools often lack continuous security scrutiny. Bower's official repository states the project is in maintenance mode, yet 2 million monthly downloads indicate widespread use. This gap between "maintenance mode" and "actively securing against emerging threats" created an exposure window.

Software Composition Analysis (SCA): Organizations using Bower likely lacked automated tools to detect known vulnerabilities in their package managers. Most SCA tools focus on application dependencies, not the tools used to install those dependencies.

Relevant Standards

PCI DSS v4.0.1 Requirement 6.3.2 requires that "bespoke and custom software are developed securely" throughout the software development lifecycle. While Bower is open source, any organization processing cardholder data must ensure their build tooling meets security standards. A compromised package manager could inject malicious code into payment processing applications.

OWASP Top 10 2021: A06:2021 – Vulnerable and Outdated Components addresses this scenario. It notes vulnerability when "you do not know the versions of all components you use" and "if the software is vulnerable, unsupported, or out of date." Package managers are components in your build pipeline.

ISO/IEC 27001:2022 Annex A.8.31 requires organizations to identify and manage security requirements throughout the development lifecycle, including tools used in that lifecycle. Your information security management system should track not just application dependencies, but also build tools, package managers, and other development infrastructure.

NIST 800-53 Rev 5 Control SA-15 requires organizations to define and document security requirements for development tools. It calls for "protection mechanisms for the tools and tool environments."

Action Items for Your Team

Audit Legacy Tooling: Inventory every package manager, build tool, and development utility in your pipeline. For each one, determine:

  • Is it still maintained?
  • When was the last security patch?
  • How many downloads or users does it have?
  • What privileges does it run with?

If Bower is in your environment, upgrade to versions 1.8.6 or later immediately. Consider migrating to actively maintained alternatives like npm or Yarn.

Implement SCA for Your Toolchain: Extend vulnerability scanning to include:

  • Package managers (npm, pip, Maven, etc.)
  • Build tools (Webpack, Gulp, Grunt)
  • CI/CD agents and plugins
  • Container base images

Your Dependabot or Snyk configuration should monitor these tools with the same rigor applied to application dependencies.

Validate Archive Extraction: Review any code that extracts zip, tar, tar.gz, or other archive formats. Your validation logic must:

  • Canonicalize the target path
  • Verify the extracted file path starts with your intended extraction directory
  • Reject paths containing .. or absolute paths
  • Consider using libraries designed to prevent Zip Slip

Define EOL Policies for Development Tools: Establish a policy that triggers migration planning when a tool enters maintenance mode. "Still works" is not the same as "still secure." Your policy might state: "Tools in maintenance mode for >12 months require security review every 90 days or active migration planning."

Segment Build Environment Privileges: Run package managers and build tools with minimal necessary privileges. If Bower is compromised during a build, the impact depends on what that process can access. Use dedicated service accounts, containerization, or ephemeral build environments to limit exposure.

Test Incident Response for Supply Chain Scenarios: Most incident response plans focus on production breaches. Run a tabletop exercise where your package manager is compromised. Who needs to be notified? How do you identify affected builds? What's your rollback procedure? The Bower incident required coordinated disclosure through the Node.js security working group—do you have relationships with the security teams for your critical tools?

The Bower vulnerabilities demonstrate that your security perimeter extends to every tool that touches your code, not just the code itself. Legacy doesn't mean safe—it often means the opposite.

Topics:Incident

You Might Also Like