Zip Slip logo

Security researchers have disclosed today details about a critical vulnerability impacting open source coding libraries that handle archived files.

Discovered by the researchers from Synk, the "Zip Slip" vulnerability is an issue in the way coders, plugins, and libraries have implemented the process of decompressing an archived file.

Numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z, are affected, meaning this is more of a theoretical issue, rather than a specific coding bug.

Vulnerability leads to files being unzipped in the wrong places

According to researchers, Zip Slip is a combination between an "arbitrary file overwrite" and "directory traversal" issues that can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files, such as critical OS libraries or server configuration files.

"The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking," the Synk team said today in a security advisory.

Researchers said they found this flaw in April, and they have been working with the maintainers of several open-source libraries that were vulnerable to this attack.

Multiple open-source libraries affected

The Synk team has published a list of libraries affected by Zip Slip on GitHub.

While libraries written in several programming languages are known to be affected —such as JavaScript, Python, Ruby, .NET, Go, and Groovy—, the issue mainly affects the Java ecosystem because there's no official library recommended for handling archived files.

Instead, developers have created and used an assortment of libraries for this purpose, most of which are vulnerable to Zip Slip. Furthermore, the issue is so widespread that even some of the code shared on StackOverflow was found to be vulnerable to Zip Slip, meaning that many desktop, mobile, or web apps written in Java may be vulnerable to Zip Slip without developers even knowing.

To help developers understand the Zip Slip attack and aid them in detecting if their apps are vulnerable, the Synk team has published a technical paper detailing the Zip Slip bug in much more depth.

Researchers have also published proof-of-concept Zip Slip archives so developers can test their apps for the vulnerability. A demo video is also available below.

Related Articles:

Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs

Get 98% off The Ultimate Backend Developer Bundle Deal

F-Secure Fixes Serious Vulnerability in Antivirus Products

Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s

Python May Let Security Tools See What Operations the Runtime Is Performing