ZIP Slip: The Archive Extraction Vulnerability Everywhere 📦

Understanding the Critical Security Flaw That Affects Thousands of Applications

In June 2018, security researchers disclosed one of the most widespread vulnerabilities in modern software development: ZIP Slip. This critical archive extraction vulnerability affects thousands of projects across multiple programming ecosystems, allowing attackers to write arbitrary files on target systems and potentially achieve remote code execution. Despite being publicly disclosed years ago, new instances of this vulnerability continue to emerge, with recent CVEs reported in 2025 affecting popular archiving libraries.

What is ZIP Slip?

ZIP Slip is a form of arbitrary file overwrite vulnerability that exploits directory traversal during archive extraction. The attack leverages specially crafted archive files containing filenames with path traversal sequences (like ../../evil.sh) that, when extracted, write files outside the intended destination directory.

The vulnerability isn’t limited to ZIP files alone. It affects multiple archive formats including:

• ZIP (.zip)
• TAR (.tar, .tar.gz)
• JAR (Java Archive)
• WAR (Web Application Archive)
• APK (Android Package)
• CPIO (.cpio)
• RAR (.rar)
• 7Z (.7z)

This widespread impact makes ZIP Slip one of the most dangerous vulnerabilities in file handling systems, affecting applications from major organizations including HP, Amazon, Apache, Pivotal, Oracle, LinkedIn, Twitter, and countless others.

The Technical Mechanics: How ZIP Slip Works

The Vulnerable Code Pattern

At its core, ZIP Slip exploits a simple but critical oversight in archive extraction code. Consider this vulnerable Java example:

Enumeration<ZipEntry> entries = zip.getEntries();
while (entries.hasMoreElements()) {
    ZipEntry entry = entries.nextElement();
    File file = new File(destinationDir, entry.getName());
    FileOutputStream fos = new FileOutputStream(file);
    // Extract file...
}

The problem lies in the second line: new File(destinationDir, entry.getName()). This code blindly concatenates the destination directory with the entry name from the ZIP file without validation. If entry.getName() returns something like ../../../etc/cron.d/malicious, the file will be written to /etc/cron.d/malicious instead of staying within the intended destination directory.

Anatomy of a Malicious Archive

Creating a malicious ZIP Slip payload involves crafting an archive with specially formatted filenames. While standard compression utilities don’t support creating these files, attackers can use custom code or specialized tools to generate them.

A typical malicious archive structure might look like:

exploit.zip
├── good_file.txt
├── ../../../../../../tmp/backdoor.sh
├── ../../../etc/cron.d/persistence
└── ../../../../var/www/html/shell.php

When this archive is extracted by vulnerable code, files are written to locations far outside the intended extraction directory, potentially overwriting critical system files, configuration files, or executable scripts.

Real-World Attack Scenarios

Scenario 1: Web Application Shell Upload

An attacker uploads a malicious ZIP file to a web application with a plugin installation feature. The ZIP contains:

legitimate_plugin_files/...
../../../../var/www/html/shell.php

After extraction, the attacker gains a web shell at https://target.com/shell.php, allowing remote code execution with the web server’s privileges.

Scenario 2: System Configuration Tampering

A malicious archive targeting a Linux system might include:

../../.ssh/authorized_keys
../../../etc/cron.d/backdoor

This allows the attacker to add their SSH key for persistent access or create scheduled tasks that execute malicious code.

Scenario 3: Mobile Application Exploitation

For Android applications, an attacker could craft an APK update containing:

../../data/data/com.target.app/shared_prefs/settings.xml
../../../lib/libmalicious.so

This overwrites application preferences or injects malicious native libraries.

Why This Vulnerability is Everywhere

The Ecosystem Problem

ZIP Slip’s prevalence stems from several systemic issues in software development:

1. Lack of Standard Libraries: Many programming ecosystems, particularly Java, lack centralized, high-level libraries for archive processing. This forces developers to write their own extraction code or copy vulnerable snippets from online sources.

2. Code Reuse Culture: Developers frequently copy code from Stack Overflow, GitHub repositories, and other community sources. When a vulnerable code snippet becomes popular, it propagates rapidly across thousands of projects.

3. Transitive Dependencies: Applications don’t just depend on libraries they directly include—they also inherit dependencies of those libraries. A vulnerability in a deeply nested dependency can affect applications several layers removed.

4. Incomplete Security Awareness: Many developers aren’t trained to recognize path traversal vulnerabilities in archive extraction contexts, treating archive handling as a routine file operation rather than a security-critical function.

Recently Discovered Instances

The vulnerability continues to surface in new contexts:

• CVE-2025-3445 (April 2025): A ZIP Slip vulnerability was discovered in the popular Go library mholt/archiver, affecting applications using the archiver.Unarchive() functionality. The vulnerability allows path traversal through specially crafted symlinks in ZIP files.

• CVE-2024-21518 (2024): OpenCart’s marketplace installer was found vulnerable to ZIP Slip, allowing arbitrary file writes through the admin panel.

• CVE-2024-43399 (2024): The Mobile Security Framework (MobSF) contained a critical ZIP Slip vulnerability in its APK analysis functionality.

These recent discoveries demonstrate that despite years of awareness, new instances continue to emerge in both legacy and modern codebases.

The Impact: What Attackers Can Achieve

Immediate Consequences

Remote Code Execution (RCE): The most severe outcome of ZIP Slip exploitation. Attackers can overwrite executable files, shell scripts, or dynamic libraries that are subsequently executed by the system or users.

Data Destruction: Malicious archives can target critical data files, configuration databases, or backup files, leading to data loss or corruption.

Privilege Escalation: By overwriting sensitive system files like /etc/sudoers or SSH authorized keys, attackers can escalate their privileges on the target system.

Persistence Mechanisms: Attackers can establish long-term access by modifying startup scripts, cron jobs, systemd services, or other auto-execution mechanisms.

Secondary Attack Vectors

ZIP Slip often serves as an initial foothold for more sophisticated attacks:

• Supply Chain Attacks: Compromising build systems or dependency repositories by injecting malicious code through ZIP Slip
• Lateral Movement: Using one compromised system to extract malicious archives on other network-connected systems
• Ransomware Deployment: Overwriting critical files before encrypting them, making recovery without backups impossible

Detecting ZIP Slip Vulnerabilities

Code Auditing Techniques

1. Search for Vulnerable Patterns

Look for code that extracts archives without proper validation:

// RED FLAG: Direct concatenation without validation
File file = new File(baseDir, entry.getName());

// RED FLAG: No path canonicalization check
String filePath = destinationDir + File.separator + entry.getName();

2. Analyze Archive Processing Functions

Examine any code that: - Opens ZIP, TAR, RAR, or other archive files - Iterates through archive entries - Writes extracted content to disk - Processes uploaded archive files

3. Dependency Scanning

Use automated tools to identify vulnerable dependencies. Security platforms like Snyk maintain updated lists of affected libraries across multiple ecosystems.

Runtime Detection Strategies

File System Monitoring: Implement monitoring for unexpected file writes outside designated directories, particularly for system-critical paths like /etc, /bin, and /lib.

Archive Content Inspection: Before extraction, scan archive contents for suspicious filename patterns containing: - ../ or ..\ sequences - Absolute paths (starting with / or drive letters) - Special characters or encoding tricks designed to bypass filters

Sandbox Extraction: Extract archives in isolated environments (containers, VMs) before moving verified content to production systems.

Prevention and Mitigation Strategies

Secure Coding Practices

1. Path Validation and Canonicalization

Always validate extracted file paths against the intended destination directory:

public static boolean isSafePath(File destination, ZipEntry entry) throws IOException {
    File destinationFile = new File(destination, entry.getName());
    String canonicalDestination = destination.getCanonicalPath();
    String canonicalTarget = destinationFile.getCanonicalPath();
    
    return canonicalTarget.startsWith(canonicalDestination + File.separator);
}

2. Use Secure Libraries

Prefer libraries with built-in ZIP Slip protection:

• Java: Apache Commons Compress (recent versions)
• Python: Use zipfile with proper validation
• .NET: Use System.IO.Compression with path checks
• Node.js: Libraries like extract-zip with security patches

3. Implement Defense in Depth

import os
import zipfile

def safe_extract(zip_path, extract_to):
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        for member in zip_ref.namelist():
            # Normalize and validate the path
            member_path = os.path.normpath(os.path.join(extract_to, member))
            
            # Ensure it's within the extraction directory
            if not member_path.startswith(os.path.abspath(extract_to)):
                raise Exception(f"Attempted path traversal: {member}")
            
            # Additional checks
            if os.path.isabs(member):
                raise Exception(f"Absolute path not allowed: {member}")
            
            # Safe to extract
            zip_ref.extract(member, extract_to)

Application-Level Protections

1. File Upload Restrictions

• Limit accepted archive formats to only what’s necessary
• Implement file size limits to prevent zip bomb attacks
• Require authentication and authorization for archive upload functionality
• Log all archive extraction operations with detailed metadata

2. Least Privilege Principle

Run archive extraction processes with minimal permissions: - Use dedicated service accounts with restricted filesystem access - Implement mandatory access control (MAC) policies - Utilize containers or sandboxes for untrusted content

3. Input Validation

Before processing any archive: - Scan for malware and suspicious patterns - Validate archive structure and integrity - Check for unreasonable compression ratios (potential zip bombs) - Reject archives with suspicious entry names

Infrastructure Considerations

Container Isolation: Extract archives within Docker containers or similar isolation technologies, preventing any path traversal from affecting the host system.

File System Permissions: Configure strict permissions on system directories to prevent unauthorized writes, even if path traversal succeeds.

Network Segmentation: Isolate systems that process user-uploaded archives from critical infrastructure to limit blast radius.

Testing for ZIP Slip

Creating Test Cases

Security teams should include ZIP Slip tests in their assessment routines:

Test Case 1: Basic Traversal

Archive contains: ../../../etc/test.txt
Expected result: Extraction fails or file contained within destination

Test Case 2: Encoded Traversal

Archive contains: ..%2F..%2F..%2Fetc%2Ftest.txt
Expected result: Extraction fails after decoding

Test Case 3: Windows Path Traversal

Archive contains: ..\..\..\Windows\System32\test.dll
Expected result: Extraction fails on Windows systems

Test Case 4: Absolute Paths

Archive contains: /tmp/malicious.sh
Expected result: Absolute paths rejected

Automated Testing Tools

Several tools can help identify ZIP Slip vulnerabilities:

• Snyk: Comprehensive dependency scanning with ZIP Slip detection
• OWASP Dependency-Check: Open-source tool for identifying vulnerable components
• SonarQube: Static analysis with security rules for path traversal
• Custom Scripts: Write specific tests targeting your archive handling code

Why Every File Upload Feature Needs Validation

File upload functionality is ubiquitous in modern applications:

• CMS Platforms: WordPress, Drupal, and similar systems allow plugin/theme uploads
• Cloud Storage: Dropbox, Google Drive, and OneDrive handle billions of archives
• Development Tools: Package managers, CI/CD systems, and IDE plugins process archives continuously
• Mobile Apps: App stores, update mechanisms, and content delivery systems
• Enterprise Software: Document management, backup systems, and collaboration tools

Each of these represents a potential attack surface. A single unvalidated archive extraction can compromise entire systems, making validation non-negotiable.

The Upload-to-Execution Pipeline

Consider the typical flow:

1. User uploads archive
2. Server stores file temporarily
3. Extraction process begins (VULNERABLE POINT)
4. Application processes extracted content
5. Content becomes available to users/system

The extraction step is where ZIP Slip strikes. By the time the application realizes something is wrong (if ever), malicious files may already be written to critical locations.

Industry Response and Current Status

The security community has made significant efforts to address ZIP Slip:

Library Patches: Most major archiving libraries have released patches. The Snyk team maintains a GitHub repository tracking affected libraries and their fix status across ecosystems.

Developer Education: Security training programs now include ZIP Slip as a core topic in secure coding curricula.

Automated Scanning: Modern security tools include ZIP Slip detection in their vulnerability databases, helping organizations identify affected dependencies.

Standard Improvements: Some ecosystems are developing centralized, secure archive processing libraries to reduce the need for custom implementations.

However, challenges remain:

• Legacy Systems: Older applications may never receive updates
• Dependency Hell: Updating vulnerable transitive dependencies can break applications
• Zero-Day Variants: New variations continue to emerge, as evidenced by 2025 CVEs
• Developer Awareness: Many developers remain unaware of the issue

Best Practices Summary

For Developers

1. Never trust archive entry paths - Always validate against the extraction directory
2. Use secure libraries - Leverage well-maintained libraries with built-in protections
3. Implement allowlists - Define acceptable file locations and reject everything else
4. Add security tests - Include ZIP Slip tests in your test suites
5. Follow least privilege - Run extraction with minimal filesystem permissions

For Security Teams

1. Conduct regular audits - Scan codebases and dependencies for vulnerable patterns
2. Implement monitoring - Detect suspicious file write operations in real-time
3. Educate developers - Ensure teams understand path traversal risks
4. Test upload features - Specifically target archive handling in penetration tests
5. Maintain incident response plans - Prepare for potential ZIP Slip exploitation

For Organizations

1. Update dependencies - Keep archiving libraries current with security patches
2. Adopt DevSecOps - Integrate security scanning into CI/CD pipelines
3. Enforce code review - Require security review for any archive handling code
4. Deploy defense in depth - Use multiple layers of protection (validation, sandboxing, permissions)
5. Plan for incidents - Have rollback procedures for compromised systems

The Future of Archive Security

As applications continue to rely heavily on archive files for everything from software distribution to data backup, the importance of secure archive handling will only grow.

Emerging Threats: New variations of ZIP Slip continue to appear, including: - Symlink-based traversal (as seen in CVE-2025-3445) - Encoding tricks that bypass simple filters - Time-of-check-time-of-use (TOCTOU) attacks during extraction

Cloud-Native Concerns: Serverless functions and containerized applications introduce new attack vectors where ZIP Slip could compromise IAM policies, Lambda functions, or container orchestration systems.

AI and Automation: As AI-powered development tools generate more code, ensuring they don’t reproduce vulnerable patterns becomes critical.

Conclusion

ZIP Slip represents a perfect storm of security vulnerabilities: it’s easy to exploit, difficult to detect, widespread across ecosystems, and can have catastrophic consequences. The vulnerability’s persistence—with new instances discovered in 2025—demonstrates that awareness alone isn’t sufficient.

Every application that processes archives, particularly those accepting user uploads, must implement proper validation and security measures. The stakes are too high to rely on assumptions about archive integrity or trust that “it won’t happen to us.”

By understanding the technical details of ZIP Slip, implementing robust validation, using secure libraries, and maintaining vigilance through testing and monitoring, developers and organizations can protect their systems from this pervasive threat. The vulnerability may be everywhere, but with proper precautions, its exploitation doesn’t have to be.

Remember: Trust no archive. Validate every path. Secure your extractions. Your system’s security depends on it.

---

Additional Resources

• Snyk ZIP Slip Research: https://security.snyk.io/research/zip-slip-vulnerability
• GitHub Repository: https://github.com/snyk/zip-slip-vulnerability
• OWASP Path Traversal: https://owasp.org/www-community/attacks/Path_Traversal
• CISA Advisories: Regular updates on industrial control systems affected by ZIP Slip
• CVE Database: Search for “ZIP Slip” or “path traversal” for latest disclosures

Article Length: ~2,000 words
Last Updated: November 2025
SEO Keywords: ZIP Slip vulnerability, archive extraction security, path traversal attack, file upload security, directory traversal, ZIP file exploit, secure archive handling, CVE-2025-3445, malicious archive, remote code execution