Security researchers have disclosed today details about a critical vulnerability impacting open source coding libraries that handle archived files.
Discovered by the researchers from Synk, the "Zip Slip" vulnerability is an issue in the way coders, plugins, and libraries have implemented the process of decompressing an archived file.
Numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z, are affected, meaning this is more of a theoretical issue, rather than a specific coding bug.
Vulnerability leads to files being unzipped in the wrong places
According to researchers, Zip Slip is a combination between an "arbitrary file overwrite" and "directory traversal" issues that can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files, such as critical OS libraries or server configuration files.
"The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking," the Synk team said today in a security advisory.
Researchers said they found this flaw in April, and they have been working with the maintainers of several open-source libraries that were vulnerable to this attack.