保護DataHogo
Security Encyclopedia/Files & Media
highCWE-22A01:2021

Zip Slip

Extracting ZIP archives without validating file paths allows attackers to craft archives that write files outside the target directory, overwriting critical application files.

How It Works

Zip Slip is a path traversal vulnerability specific to archive extraction. An attacker creates a ZIP file where entries have paths like ../../etc/cron.d/backdoor or ../../../app/server.js. When the application extracts the archive without checking each entry's destination path, files are written outside the intended extraction directory. This can overwrite server configuration, inject malicious code into the application, or place web shells in publicly accessible directories. The vulnerability affects ZIP, TAR, JAR, WAR, and other archive formats. It is especially dangerous in CI/CD pipelines where uploaded archives are automatically extracted.

Vulnerable Code
const AdmZip = require('adm-zip');
app.post('/upload-zip', upload.single('archive'), (req, res) => {
  const zip = new AdmZip(req.file.path);
  zip.extractAllTo('uploads/extracted/', true);
  res.json({ message: 'Extracted successfully' });
});
Secure Code
const AdmZip = require('adm-zip');
const path = require('path');
app.post('/upload-zip', upload.single('archive'), (req, res) => {
  const zip = new AdmZip(req.file.path);
  const targetDir = path.resolve('uploads/extracted/');
  for (const entry of zip.getEntries()) {
    const dest = path.resolve(targetDir, entry.entryName);
    if (!dest.startsWith(targetDir)) {
      return res.status(400).json({ error: 'Invalid archive path' });
    }
  }
  zip.extractAllTo(targetDir, true);
  res.json({ message: 'Extracted successfully' });
});

Real-World Example

Snyk discovered the Zip Slip vulnerability in 2018, affecting thousands of projects across multiple ecosystems. Major projects including Apache Spark, Spring Framework, and LinkedIn's Pinot were vulnerable. The vulnerability allowed arbitrary file overwrite on servers processing uploaded archives.

How to Prevent It

  • Validate that every entry's resolved path starts with the target extraction directory
  • Reject archives containing entries with ../ sequences in their paths
  • Use libraries that have built-in Zip Slip protection or have been patched
  • Extract archives in isolated containers or sandboxed environments

Affected Technologies

Node.jsPythonJavaPHPGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Path Traversal

high

File paths constructed with unvalidated user input allow attackers to read or write arbitrary files on the server using ../ sequences.

CWE-22A01:2021

File Upload No Validation

high

Accepting file uploads without verifying type, size, or content allows attackers to upload malicious executables, web shells, or oversized files that crash the server.

CWE-434A04:2021

SVG with JavaScript

medium

Accepting SVG uploads without sanitization allows attackers to embed JavaScript in SVG files, enabling XSS attacks when the SVG is rendered in a browser.

CWE-79A03:2021

EXIF Not Stripped

low

Images served without stripping EXIF metadata can leak GPS coordinates, device information, timestamps, and other sensitive data about the person who took the photo.

CWE-200A01:2021