Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip
Zip Slip is exploited using a specially crafted archive that holds directory traversal filenames (e.g.
../../evil.sh). The vulnerability can affect numerous archive formats, including
Watch the video below to see a live exploit of the Zip Slip vulnerability:
If you’d like more information on this vulnerability, including the libraries and projects that are affected, as well as find out if you’re affected, and the remediation steps you should take, read through our Zip Slip Vulnerability Research page.
Given the severity and widespread nature of the ZipSlip vulnerability, I very strongly recommend you spend some time ensuring you are not vulnerable either through other libraries or your own code.
All projects monitored by Snyk will receive alerts if they are using one of the vulnerable libraries. If your projects use Java and you are a Standard, Pro or Enterprise customer, I also recommend you use the Reports tab to discover which are using the Apache Compress library, and inspect the code of those projects to confirm it is not vulnerable.
If you would like to discuss this vulnerability in more detail, or for further media reporting, please contact us via firstname.lastname@example.org.