Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

Danny Grander's avatar Danny Grander

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many others. It has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java. Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.

Zip Slip is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Watch the video below to see a live exploit of the Zip Slip vulnerability:

If you’d like more information on this vulnerability, including the libraries and projects that are affected, as well as find out if you’re affected, and the remediation steps you should take, read through our Zip Slip Vulnerability Research page.

Take me to the Zip Slip Research Page

Given the severity and widespread nature of the ZipSlip vulnerability, I very strongly recommend you spend some time ensuring you are not vulnerable either through other libraries or your own code.

All projects monitored by Snyk will receive alerts if they are using one of the vulnerable libraries. If your projects use Java and you are a Standard, Pro or Enterprise customer, I also recommend you use the Reports tab to discover which are using the Apache Compress library, and inspect the code of those projects to confirm it is not vulnerable.

If you would like to discuss this vulnerability in more detail, or for further media reporting, please contact us via security@snyk.io.

Introducing Service Accounts – API tokens for your org

June 12, 2018

One of our most frequent feature requests recently has been for the ability to generate an API token that isn't tied to a particular user. We're really excited to be able to now offer our Pro and Enterprise customers the ability to create Service Accounts – a special type of user that has an API token associated with it.

10 GitHub Security Best Practices

May 30, 2018

Your source code should be one of your prize possesions. You must protect it with security processes and practices to ensure you don't put your code or users at risk. This cheat sheet covers 10 best practices you should consider implementing in your GitHub repository or organisation to enforce security on your projects.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications