Security researchers have disclosed today details about a critical vulnerability impacting open source coding libraries that handle archived files.
Discovered by the researchers from Synk, the "Zip Slip" vulnerability is an issue in the way coders, plugins, and libraries have implemented the process of decompressing an archived file.
Numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z, are affected, meaning this is more of a theoretical issue, rather than a specific coding bug.
According to researchers, Zip Slip is a combination between an "arbitrary file overwrite" and "directory traversal" issues that can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files, such as critical OS libraries or server configuration files.
"The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking," the Synk team said today in a security advisory.
Researchers said they found this flaw in April, and they have been working with the maintainers of several open-source libraries that were vulnerable to this attack.
The Synk team has published a list of libraries affected by Zip Slip on GitHub.
Instead, developers have created and used an assortment of libraries for this purpose, most of which are vulnerable to Zip Slip. Furthermore, the issue is so widespread that even some of the code shared on StackOverflow was found to be vulnerable to Zip Slip, meaning that many desktop, mobile, or web apps written in Java may be vulnerable to Zip Slip without developers even knowing.
To help developers understand the Zip Slip attack and aid them in detecting if their apps are vulnerable, the Synk team has published a technical paper detailing the Zip Slip bug in much more depth.
Researchers have also published proof-of-concept Zip Slip archives so developers can test their apps for the vulnerability. A demo video is also available below.