Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerable to zip slip

See original GitHub issue

It appears as decompress is vulnerable to archives containing files that hold path-traversal names such as ../../outside.txt.

As a PoC I have attached a .tar.gz-archive(slip.tar.gz) that will, when extracted, create a file in /tmp/slipped.txt. Use the example code to extract:

const decompress = require('decompress');

decompress('slip.tar.gz', 'dist').then(files => {

Note that this will not work out-of-the-box with .zip-archives since yauzl will throw an exception if the entry’s filename contains “..”.

However, since this package also supports symlinks we can use that instead to bypass this limitation. But just adding a symlink to our desired target location won’t do the trick - since the archive’s files are being extracted asynchronous (index.js#44-73) we will end up in a race condition between extracting the symlink and the file referencing it.

By creating a directory and within that create a symlink to its’ parent directory. Continue with creating a symlink to / and a file with a name using a looped structure of all symlinks to the target. We end up with something like;

mkdir generic_dir
ln -s ../ generic_dir/symlink_to_parent_dir
ln -s / symlink_to_root
touch generic_dir/symlink_to_parent_dir/generic_dir/symlink_to_parent_dir/[...]/symlink_to_root/tmp/slipped_zip.txt

Adding this to an archive allows us to always win the race! Here’s a PoC (, that when extracted will create a file in /tmp/slipped_zip.txt. Demonstrating how this also works for zip-archives using symlinks.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:39
  • Comments:35 (2 by maintainers)

github_iconTop GitHub Comments

metacodingcommented, Feb 26, 2020

Now ‘npm audit’ warns this vulnerability as a high risk one. I am using filePond in my React app and because FilePond is dependent to this package I got 9 High Risk vulnerabilities and none of them can be solved because there is no patch available yet. Please somebody who knows this package, submit a fix.


Eyascommented, Feb 28, 2020

NPM security needs to get a grip. This isn’t a security problem. Does this bypass filesystem security? Nope. i.e. every file in an archive is an “arbitrary file”.

The problem isn’t that the files are arbitrary, it’s that unpacking an archive can result in files writing to arbitrary paths. So if you unpack to /tmp/foo a malicious .tar.gz can trick this library into outputing a file to /usr/bin instead, etc.

Definitely a security risk.

Read more comments on GitHub >

github_iconTop Results From Across the Web

snyk/zip-slip-vulnerability - GitHub
Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote ...
Read more >
The Zip Slip vulnerability – what you need to know
The vulnerability exists when the extraction code omits validation on the file paths in the archive. They might also question why these poorly- ......
Read more >
ZIP Slip - GeeksforGeeks
ZIP Slip is a highly critical security vulnerability aimed at these kind of applications. ZIP Slip makes your application vulnerable to Path ...
Read more >
Zip Based Exploits: Zip Slip and Zip Symlink Upload
After that, we discuss how developers can mitigate these attack vectors to secure their web applications and therefore sensitive and private ...
Read more >
Zip Slip To Reverse Shell In OpenRefine | White Oak Security
Zip Slip is a potential vulnerability within web applications where a library used to perform archive extraction does not adequately sanitize ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found