Zip Slip is the name given to a critical vulnerability that, as the name suggests, is all about Zip files. The massive vulnerability was discovered and researched by cyber security firm Snyk who disclosed that thousands of projects may be affected by the vulnerability.

How Hackers Use Zip Slip

The most interesting (and alarming) thing about Zip Slip is its simplicity. Hackers can create Zip files that utilize path transversal to enable the overwrite of vital system files and either destroy or overwrite the code with potentially malicious alternative code. The Zip Slip vulnerability also gives attackers the ability to execute remotely in part of the system that are used on a regular basis, such as system files and even popular applications used daily.

What Is Affected?

According to Snyk, it is not a single operating system issue, nor is it a problem with the Zip file format. It is a small section of programming that has been repeated across many different projects and operating system ecosystems. Some of the programming ecosystems that have the bad sections include Ruby on Rails, Go, and .Net, however the most severely affected is JavaScript due to the lack of a central library that can offer high level processing of Zip, or archive files. This oversight, the lack of a central library, meant that handcrafted code had to be deployed and this code was shared between many different development platforms. A software library is a small section of code that is designed to work across other software projects. The Zip Slip vulnerability has therefore spread to many programming languages and projects. It’s a multi-step fix: the libraries need to be patched, as well as the software that uses the library.
Snyk has posted a list of projects and libraries with diagnosed vulnerabilities on GitHub and users should check to see if they are utilizing vulnerable software and download the patch to get your system fixed.