ZIP Slip (Path Traversal)

What is ZIP Slip?

ZIP Slip is a directory traversal vulnerability that occurs when an application extracts archive files without properly validating the file paths within the archive. An attacker crafts a ZIP archive containing entries with path traversal sequences (e.g., ../../../etc/cron.d/pwned) in the filename. When the archive is extracted without sanitization, files are written outside the intended target directory.

How It Works

The ZIP file format stores each entry's filename as a relative path. Most extraction tools sanitize these paths, but many application-level implementations do not. By including ../ sequences in the entry name, the attacker can traverse up from the extraction directory and write to arbitrary locations on the filesystem.

Attack Scenarios

Cron Job Injection

Write a cron entry to /etc/cron.d/ that executes a reverse shell.

SSH Key Injection

Write an authorized_keys file to ~/.ssh/authorized_keys.

Web Shell Deployment

Write a web shell to the web server's document root.

Configuration Overwrite

Overwrite application configuration files to change behavior.

Defenses That Block This

  • Path canonicalization before writing extracted files
  • Rejecting entries containing .. path components
  • Chroot/sandbox extraction environments
  • Language-specific safe extraction libraries (e.g., Go's archive/zip sanitizes by default)

Related CVEs

  • CVE-2018-1002200 — Zip Slip in multiple libraries (original disclosure by Snyk)
  • CVE-2018-16385 — Phar deserialization in PHP
  • CVE-2018-1002201 — Zip Slip in plexus-archiver

References