Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

Danny Grander
June 5, 2018 | in Vulnerabilities
| By Danny Grander

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many others. It has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java. Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.

Zip Slip is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Watch the video below to see a live exploit of the Zip Slip vulnerability:

If you’d like more information on this vulnerability, including the libraries and projects that are affected, as well as find out if you’re affected, and the remediation steps you should take, read through our Zip Slip Vulnerability Research page.

Take me to the Zip Slip Research Page

Given the severity and widespread nature of the ZipSlip vulnerability, I very strongly recommend you spend some time ensuring you are not vulnerable either through other libraries or your own code.

All projects monitored by Snyk will receive alerts if they are using one of the vulnerable libraries. If your projects use Java and you are a Standard, Pro or Enterprise customer, I also recommend you use the Reports tab to discover which are using the Apache Compress library, and inspect the code of those projects to confirm it is not vulnerable.

If you would like to discuss this vulnerability in more detail, or for further media reporting, please contact us via security@snyk.io.