Zip Slip, Path Traversal Vulnerability during File Decompression
Overview
Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities.
What Is Zip Slip?
Zip Slip is a vulnerability that maliciously manipulates file paths included in compressed files to create files outside the target directory or overwrite existing files upon extraction. If users extract an archive file created by an attacker who exploited this vulnerability, files can be created in the path specified by the attacker.
For example, in a Linux environment, if a compressed file contains the following relative path and the path is not properly validated during decompression in a compression application with the Zip Slip vulnerability, the /etc/passwd file can be overwritten.
../../../../etc/passwd
In Windows, if the archive is extracted using a relative path to the user’s Startup folder as shown below, files inserted by the attacker or commands are executed every time the system boots.
/../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/
Zip Slip is not limited to a specific compression format. Path Traversal attacks can be conducted in all compression formats that include file paths such as ZIP, TAR, RAR, and 7Z.
The file structure differs for each compression format, but you can see that file path information is included when looking at the structure of the representative format, ZIP.
The table below shows the file headers of a ZIP file.
| Bytes | Size | Description |
| 0 | 4 | Magic number. Must be 50 4B 03 04 |
| 4 | 2 | Version needed to extract (minimum). |
| 6 | 2 | General purpose bit flag. |
| 8 | 2 | Compression method; e.g. none = 0, DEFLATE = 8 (or “\0x08\0x00”). |
| 10 | 2 | File last modification time. |
| 12 | 2 | File last modification date. |
| 14 | 4 | CRC-32 of uncompressed data. |
| 18 | 4 | Compressed size (or FF FF FF FF for ZIP64). |
| 22 | 4 | Uncompressed size (or FF FF FF FF for ZIP64). |
| 26 | 2 | File name length (n). |
| 28 | 2 | Extra field length (m). |
| 30 | n | File name. |
| 30+n | m | Extra field. |
[Table 1] ZIP File Header (Source: Wikipedia)
According to the table above, the area from 30 bytes (0x1E) in ZIP file to the length specified in File name length corresponds to the file name in the File name field.
While the File name field specifies the name of the file to be created upon extraction, it is also possible to create subfolders by saving a file name including the path in the area and extract the file to the location after creating the subfolders.
Attackers can insert relative paths into the File name field by using the zipfile module of Python or directly manipulating the ZIP file.
The image below shows the structure of a ZIP file with a relative path inserted into the File name field. In the image, you can see that the file path is included from the 0x1E offset. If the created compressed file is downloaded to the %USERPROFILE%\Downloads path and extracted with a vulnerable compression program to Zip Slip attacks, the file is created in the Start menu folder.
[Figure 1] ZIP File Including Extracted File Path
In addition to ZIP files, you can include path information in the file name area of other compressed file formats such as 7Z and RAR.
In the image below, you can see that the file path and name are included in the structure of RAR and TAR files.
[Figure 2] RAR File Including Extracted File Path
[Figure 3] TAR File Including Extracted File Path
There are file formats that allow you to check file paths and names within the file itself, but there are also non-plaintext formats like 7Z. Even when it is not saved in plain text, issues can occur during the process of handling path string after decryption to plain text.
Major Vulnerabilities
CVE-2025-8088
The path traversal vulnerability found in RARLAB WinRAR versions prior to 7.13 allows attackers to create files at arbitrary locations upon extracting compressed files by evading path validation using the traversal character “..\” and Alternate Data Stream (ADS). The vulnerability was discovered by ESET researchers and has been reported to be exploited by the RomCom APT group.
CVE-2025-6218
A Remote Code Execution (RCE) vulnerability was discovered in WinRAR 7.12 and earlier versions. The vulnerability occurs due to insufficient validation of attacker-injected relative paths, allowing remote command execution via parent directory traversal. The vulnerability is exploited by including a relative path in the name of the file to be generated upon extraction, especially when the path includes whitespace to bypass the existing relative path validation filtering. For a simple PoC and references, visit ignis-sec Github CVE-2025-6128.
CVE-2022-30333
A vulnerability affecting RARLAB Unrar versions prior to 6.12, which occurs when extracting files in RAR format in Linux/Unix environments. The attack can be conducted using the most basic ../../example method to overwrite files at arbitrary paths such as ~/ssh/authorized_keys or create new files.
CVE-2018-20250
The vulnerability occurs due to inadequate path filtering when extracting ACE files with WinRAR versions prior to 5.61. The Ace32Loader.exe process, which is executed during the extraction of ACE files, uses the UNACEV2.dll module. Within UNACEV2.dll, it is possible to bypass the path string processing logic to access parent directories by evading the filtering on “:” and “\” characters.
Conclusion
The Zip Slip vulnerability can be exploited simply by extracting a file without directly running scripts or executable files, potentially leading to arbitrary code execution based on the path specified by the attacker. Moreover, the payloads used in the attack are not limited to a specific file type or extension, and any compressed file containing path information can be used for the attack.
However, as the Zip Slip vulnerability requires the user to interact with the extracted file, users need to be extra cautious when extracting suspicious zip files. Also, it is recommended to regularly update the application to the latest version.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-6218
https://nvd.nist.gov/vuln/detail/cve-2022-30333
https://nvd.nist.gov/vuln/detail/cve-2018-20250
https://nvd.nist.gov/vuln/detail/CVE-2025-8088
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
