ZIP Slip (Path Traversal)
What is ZIP Slip?
ZIP Slip is a directory traversal vulnerability that occurs when an application
extracts archive files without properly validating the file paths within the archive.
An attacker crafts a ZIP archive containing entries with path traversal sequences
(e.g., ../../../etc/cron.d/pwned) in the filename. When the archive is extracted
without sanitization, files are written outside the intended target directory.
How It Works
The ZIP file format stores each entry's filename as a relative path. Most extraction
tools sanitize these paths, but many application-level implementations do not.
By including ../ sequences in the entry name, the attacker can traverse up
from the extraction directory and write to arbitrary locations on the filesystem.
Attack Scenarios
Cron Job Injection
Write a cron entry to /etc/cron.d/ that executes a reverse shell.
SSH Key Injection
Write an authorized_keys file to ~/.ssh/authorized_keys.
Web Shell Deployment
Write a web shell to the web server's document root.
Configuration Overwrite
Overwrite application configuration files to change behavior.
Defenses That Block This
- Path canonicalization before writing extracted files
- Rejecting entries containing
..path components - Chroot/sandbox extraction environments
- Language-specific safe extraction libraries (e.g., Go's archive/zip sanitizes by default)
Related CVEs
- CVE-2018-1002200 — Zip Slip in multiple libraries (original disclosure by Snyk)
- CVE-2018-16385 — Phar deserialization in PHP
- CVE-2018-1002201 — Zip Slip in plexus-archiver