CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Zip Slip

security CWE-22 OWASP A1:2021 CVSS 8.1 PHP 5.0+ Intermediate

Also Known As

archive path traversal zip path traversal tar slip

TL;DR

A path traversal attack via crafted archive filenames (e.g. ../../evil.php) that escape the extraction directory during unzip.

Explanation

Zip Slip exploits archive libraries that extract file entries without stripping path components. A maliciously crafted zip containing an entry named ../../etc/cron.d/evil or ../../var/www/html/shell.php will write outside the intended extraction directory. PHP's ZipArchive does not automatically prevent this — validate every entry name with realpath() or basename() before extraction and confirm the resolved path starts with the intended target directory. The vulnerability also affects .tar.gz, .tar.bz2, and other archive formats.

Common Misconception

Zip slip only affects applications that explicitly extract archives. Any library that handles archives on behalf of the application — including file upload processors, asset pipelines, and deployment tools — can be vulnerable if it does not sanitise extracted paths.

Why It Matters

A malicious zip archive containing entries with paths like ../../webroot/shell.php will extract files outside the intended directory when the path is not validated, enabling web shell deployment.

Common Mistakes

  • Using ZipArchive::extractTo() without validating each entry's path against the target directory.
  • Checking only the filename component with basename() but not the full path of each zip entry.
  • Not verifying that realpath() of the extracted file's destination is within the target directory.
  • Trusting zip files from authenticated users — a compromised account can upload malicious archives.

Avoid When

  • Never extract archives directly to a web-accessible directory without path validation.
  • Do not trust filenames inside zip/tar archives — they are attacker-controlled.

When To Use

  • Always validate extracted file paths against the intended destination directory using realpath().
  • Use str_starts_with(realpath($extractPath), $destinationDir) to reject any path that escapes the target folder.

Code Examples

✗ Vulnerable 
$zip->extractTo('/uploads/'); // entries like ../../shell.php escape the dir
✓ Fixed 
foreach ($entries as $entry) {
  $dest = realpath('/uploads/') . '/' . basename($entry);
  if (strpos(realpath(dirname($dest)), realpath('/uploads/')) !== 0) throw new Exception('Zip Slip');
}
Added 15 Mar 2026
Edited 31 Mar 2026
Views 24

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 2 pings M 0 pings T 0 pings W 2 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S
Agents 0
No pings yet today
Amazonbot 7 Perplexity 3 Unknown AI 3 Google 2 ChatGPT 2 Ahrefs 1
Also referenced
Arbitrary File Upload 29 realpath() 28 Path Traversal 27
How they use it
crawler 15 crawler_json 2 pre-tracking 1
Related categories
php 6.7k security 4.2k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
When extracting ZIP files, validate every entry path with realpath() after joining to the destination — reject any entry where the resolved path does not start with the extraction directory
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
ZipArchive::extractTo() without validating each entry path; extracting user-uploaded ZIPs without path traversal check
Auto-detectable: ✓ Yes semgrep psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Function Tests: Update
CWE-22 CWE-73
✓ schema.org compliant