Zip Slip is a critical vulnerability that occurs when extracting files from a compressed archive (e.g., ZIP, TAR) without proper validation of file paths. An attacker can craft a malicious archive containing files with path traversal sequences (e.g., `../../`) or absolute paths. When extracted, these files may escape the intended directory, allowing an attacker to overwrite sensitive files, expose confidential data, or execute arbitrary code.
Remediation
Before extracting files, canonicalise and validate destination paths to ensure they remain within the intended extraction directory. Reject any entries attempting path traversal or absolute path usage.
Use secure, actively maintained archive-handling libraries that implement protections against directory traversal.
Sanitize file names to remove control characters, path separators, or patterns that could alter expected behaviour.
Configure extraction processes to prevent overwriting of existing files, particularly sensitive or system-critical ones.
Apply the principle of least privilege to the extraction context (e.g., drop unnecessary permissions and avoid running as root).
Metadata
Severity: medium
Slug: zip-slip
CWEs
22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
23: Relative Path Traversal
59: Improper Link Resolution Before File Access ('Link Following')
36: Absolute Path Traversal
73: External Control of File Name or Path
OWASP
A01:2021: Broken Access Control
A05:2021: Security Misconfiguration
Available Labs
Open Go labs in SecDim Play for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
