Dubbed "Zip Slip," the issue is an arbitrary file overwrite vulnerability that triggers from a directory traversal attack while extracting files from an archive and affects numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z.
Went undetected for years, the vulnerability can be exploited using a specially crafted archive file that holds directory traversal filenames, which if extracted by any vulnerable code or a library, would allow attackers to unarchive malicious files outside of the folder where it should reside.
"The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers."
"The contents of this zip file have to be handcrafted. Archive creation tools don't typically allow users to add files with these paths, despite the zip specification allowing it. However, with the right tools, it's easy to create files with these paths."The company has also published proof-of-concept Zip Slip archives and released a video demonstration, showing how attackers can exploit the Zip Slip vulnerability.
Since April, the company started privately disclosing the Zip Slip vulnerability to all vulnerable libraries and projects maintainers.
A list of all affected libraries and projects has also been posted on Snyk's GitHub repository, some of which have already fixed the issue with the release of updated versions.
Moreover, you can also read Snyk's blog post to learn more about vulnerable codes in different ecosystems through example snippets.