Zip Slip

July 7, 2024 ยท View on GitHub

Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more. This page provides the most up-to-date fix statuses for the libraries and projects that were found to be exploitable or contain a vulnerable implementation.

For more information on the technical details of Zip Slip, read http://snyk.io/research/zip-slip-vulnerability.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand-crafted and shared among developer communities such as StackOverflow.

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Here is a vulnerable code example showing a ZipEntry path being concatenated to a destination directory without any path validation. Code similar to this has been found in many repositories across many ecosystems, including libraries which thousands of applications depend on.

   Enumeration<ZipEntry> entries = zip.getEntries();
   while (entries.hasMoreElements()) {
      ZipEntry e = entries.nextElement();
      File f = new File(destinationDir, e.getName());
      InputStream input = zip.getInputStream(e);
      IOUtils.copy(input, write(f));
   }

If you find a library or project that contains similar vulnerable code, we ask for your contribution to this repository to provide the community with the most up to date information about the Zip Slip vulnerability. To contribute, please refer to our CONTRIBUTING.md file.

Affected Libraries

Many of the following affected libraries exist because their ecosystems lack high level APIs providing the basic archive management capabilities. This results in vulnerable code being shared and reused. The following table contains the list of vulnerable libraries we found during private disclosure of Zip Slip which we aim to keep up to date, with community support, going forward as more vulnerable libraries are discovered. Some libraries that do not provide the high-level API often result in vulnerable implementations also, either through people copying and pasting vulnerable private code, or writing their own vulnerable snippets.

VendorProductLanguageConfirmed vulnerableFixed VersionCVEFixed
npm libraryunzipperJavaScriptYES0.8.13CVE-2018-100220317/4/2018
npm libraryadm-zipJavaScriptYES0.4.9CVE-2018-100220423/4/2018
Java librarycodehaus/plexus-archiverJavaYES3.6.0CVE-2018-10022006/5/2018
Java libraryzeroturnaround/zt-zipJavaYES1.13CVE-2018-100220126/4/2018
Java libraryzip4jJavaYES1.3.3CVE-2018-100220213/6/2018
.NET libraryDotNetZip.Semverd.NETYES1.11.0CVE-2018-10022057/5/2018
.NET librarySharpCompress.NETYES0.21.0CVE-2018-10022062/5/2018
Oraclejava.util.zipJava* No High Level APIDocumentation FixN/A
Apachecommons-compressJava* No High Level APIDocumentation FixN/A23/4/2018
.NET librarySharpZipLib.NETYESv1.0.0CVE-2018-100220819/8/2018
Ruby gemzip-rubyRuby* No High Level APIN/A
Ruby gemrubyzipRubyYESCVE-2018-1000544
Ruby gemziprubyRuby* No High Level APIN/A
Go libraryarchiveGo* No High Level APIN/A
Python librarytarfilePythonYESCVE-2007-4559
C++/qt libraryquazipC++YES0.7.6CVE-2018-100220912/6/2018
Clojure libraryRaynes/fsClojureYESakvo/fs 20180618-134534.a44cdd5bN/A18/6/2018
Go librarycloudfoundry/archiverGoYES24/5/2018N/A24/5/2018
PHP librarychumper/zipperPHPYES1.0.3N/A26/2/2020
Perl librarylibarchive-zip-perlPerlYESCVE-2018-10860
Rust libraryrs-async-zipRust* No High Level APIDocumentation FixN/A

Projects Affected and Fixed

The following list of projects contain vulnerable code. Please add to this list as you find projects that are vulnerable to Zip Slip, or if you have further information about a project fix status.

VendorProductFixed dateFixed versionCVEVulnerable Code
Apache StormStorm2/5/20181.1.3, 1.2.2CVE-2018-8008#1 #2 #3 #4
Apache Software FoundationApache Hadoop30/5/2018 #1 #22.7.7, 2.8.5, 2.9.2, 3.0.3, 3.1.1CVE-2018-8009
ApacheMaven
ApacheAnt21/4/20181.9.12CVE-2018-10886
Go librarymholt/archiver29/9/20203.3.2CVE-2019-10743
Pivotalspring-integration-zip3/5/20181.0.1CVE-2018-1261
Pivotalspring-integration-zip10/5/20181.0.2CVE-2018-1263
HPFortify Cloud Scan Jenkins Plugin27/4/20181.5.2#1
OWASPDependencyCheck7/5/20183.2.0CVE-2018-12036
AmazonAWS Toolkit for Eclipse31/5/2018
SonarSourceSonarQube4/5/20186.7.4 LTS, 7.2#1
CinchapiConcourse30/5/2018#1
Orient TechnologiesOrientDB31/5/2018#1 #2
FenixEduAcademic30/5/2018#1
LuceeLucee5/6/20185.2.7.63, 5.2.8.47#1
groovy-common-extensionsgroovy-common-extensions3/7/20180.7.1#1
fabric8fabric85/6/20182.2.170-85#1
ApacheTika19/9/20181.19
ApacheDeepLearning4J10/24/20181.0.0-SNAPSHOT
FireGiantWiX Toolkit09/19/20193.11.2CVE-2019-16511

Defensively fixed but deemed not exploitable

Some projects were confirmed by the project maintainers that their implementation code was not vulnerable to Zip Slip. However they decided to remove or fix their implementation so that in the future, the snippets could not be copied and become vulnerable elsewhere.

VendorProductVulnerable Code RemovedVulnerable Code
ApacheKylin24/4/2018#1
ApacheNiFi24/4/2018#1
ApacheGeode20/4/2018
JenkinsJenkins CI5/5/2018#1
ElasticElasticSearch10/5/2018#1
LinkedInPinot22/5/2018#1
AnkiDroidAnki-Droid31/5/2018#1
ata4bspsrc30/5/2018#1
eirslettfrontend-maven-plugin30/5/2018#1 #2

Affected and not yet fixed

VendorProductVulnerable CodeCVE
unknwoncae/zip#1CVE-2020-7664
unknwoncae/tz#1CVE-2020-7668

Deemed not exploitable by the maintainer (vulnerable implementation remains)

The final list of projects are those with snippets of code that still have a vulnerable implementation, but are not exploitable. It is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome, but the vulnerable pattern of code still exists within the code base. We strongly encourage such projects to fix the implementation both to prevent its use through other functionality, or use in other projects that copy paste snippets.

VendorProductVulnerable Code
JetBrainsIntellij-community#1
ApacheApex#1
ApacheZeppelin#1
ApacheReef#1
ApacheBookKeeper#1
ApachePulsar#1
ApacheHeron#1
ApacheGobblin#1
ApacheGobblin#1
ApacheSystemML#1
GradleGradle#1
GradleGradle#1
GradleGradle#1
plasma-umassdoppio#1
streamsetsDataCollector#1

For more information on Zip Slip, go to http://snyk.io/research/zip-slip-vulnerability.