Skip to main content
Zip Slip: When Archive Extraction Becomes Remote Code ExecutionIncident
3 min readFor Security Engineers

Zip Slip: When Archive Extraction Becomes Remote Code Execution

Understanding the Vulnerability

Snyk's security team has disclosed a path traversal vulnerability affecting archive extraction libraries across multiple ecosystems. Known as Zip Slip, this vulnerability allows attackers to write files outside the intended extraction directory by crafting malicious archive entries with directory traversal sequences (e.g., ../../evil.sh). When applications extract these archives without proper path validation, attackers can overwrite configuration files, plant executables in startup directories, or replace system binaries.

This vulnerability affects thousands of projects, including those from HP, Amazon, Apache, and Pivotal. The impact is particularly severe in Java ecosystems, where vulnerable extraction code appears in widely-used libraries and enterprise applications.

Key Events in the Zip Slip Disclosure

Initial Discovery: Snyk's research team identified the vulnerability pattern while analyzing archive extraction implementations across various language ecosystems.

Scope Analysis: The team found that the vulnerability was not isolated to a single library. The same unsafe extraction pattern appeared in implementations across Java, JavaScript, .NET, and Go.

Coordinated Disclosure: Snyk collaborated with affected library maintainers to develop patches before public disclosure.

Public Release: Snyk published the vulnerability details, proof-of-concept code, and a list of known-affected libraries. They also released detection tools to help organizations identify vulnerable dependencies.

Remediation Phase: Library maintainers released patched versions. Organizations began scanning their dependency trees and updating affected packages.

Identifying Control Failures

Input Validation Failure: Applications extracted archive entries without validating that the target path remained within the intended extraction directory. The code trusted user-supplied archive contents to contain safe paths.

Dependency Security Scanning Gap: Many organizations lacked automated dependency vulnerability scanning in their CI/CD pipelines. Without continuous monitoring, vulnerable libraries remained in production applications for extended periods.

Security Code Review Deficiency: Code reviews didn't catch the path traversal vulnerability because reviewers focused on business logic rather than security-critical operations like file system interactions.

Third-Party Component Inventory Failure: Organizations didn't maintain accurate inventories of their dependencies, making it difficult to quickly identify whether they were affected when the disclosure occurred.

Compliance and Security Standards

PCI DSS v4.0.1 Requirement 6.3.2 mandates secure development practices, including path validation during file operations.

OWASP Top 10 2021 A01:2021 – Broken Access Control highlights path traversal as a critical access control failure. Your code must validate that file operations remain within authorized boundaries.

OWASP ASVS v4.0.3 Requirement 12.5.2 states that file uploads should be validated to confirm the uploaded file name and path are within the application's expected context.

ISO/IEC 27001:2022 Annex A.8.31 requires organizations to establish secure development rules, including input validation for security-critical operations.

NIST 800-53 Rev 5 SI-10 requires applications to check the validity of information inputs. Archive entry paths are inputs that must be validated before writing to the file system.

Actionable Steps for Your Team

Implement Path Canonicalization Checks: Before writing any file during archive extraction, resolve the target path to its canonical form and verify it starts with your intended extraction directory.

File destDir = new File("/safe/extraction/path");
File destFile = new File(destDir, entry.getName());
if (!destFile.getCanonicalPath().startsWith(destDir.getCanonicalPath())) {
    throw new SecurityException("Zip Slip attempt detected");
}

Deploy Dependency Scanning in CI/CD: Integrate tools like Snyk, GitHub Dependabot, or OWASP Dependency-Check into your build pipeline. Configure them to fail builds when high-severity vulnerabilities are detected.

Maintain a Software Bill of Materials (SBOM): Generate an SBOM for every application you deploy. Tools like CycloneDX and SPDX can generate SBOMs from your build artifacts.

Establish Dependency Update Policies: Define maximum ages for dependencies and automate pull requests for updates. Consider implementing automated minor version updates with manual review for major versions.

Review File System Operations in Code Reviews: Train your reviewers to flag file system operations that don't validate paths. Make this a checklist item in your review process.

Test Archive Handling with Malicious Inputs: Add security test cases that attempt Zip Slip attacks against your archive extraction code. Verify your code rejects them.

Patch Immediately, Inventory Later: When a vulnerability like Zip Slip is disclosed, patch your direct dependencies first, then inventory your transitive dependencies.

The Zip Slip vulnerability exploited a simple oversight in archive path handling. However, simple vulnerabilities in widely-used libraries create significant exposure. Your dependency security controls must assume that any third-party code could contain similar flaws. Automate detection, maintain inventory, and validate inputs to protect your systems.

Topics:Incident

You Might Also Like