Researchers at cybersecurity firm Synk Ltd. have uncovered a new vulnerability that affects thousands of projects, including ones designed across multiple programming languages used by some of the largest companies in the business.

Dubbed “Zip Slip,” the issue is an arbitrary file overwrite vulnerability — that is, the ability to overwrite an existing file. It’s triggered by a directory traversal attack, an HTTP attack that allows attackers to access restricted directories, while extracting files from an archive.

As the name suggests, the vulnerability relates to archiving formats such as the well-known ZIP format but also covers a range of others, including tar, jar, war, cpio, apk, rar and 7z. According to the researchers, the vulnerability can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files.

The files that can be overwritten include those coded in JavaScript, Ruby, .NET and Go, but it’s especially prevalent in Java and affects thousands of projects, including ones from Hewlett Packard Enterprise Co., Amazon.com Inc., Apache open-source projects, Pivotal Software Inc. and many more.

“The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside,” the researchers explained. “The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”

Along with publishing a technical paper explaining the vulnerability, the researchers also published details of a proof of concept attack using the method.

“Given the severity and widespread nature of the ZipSlip vulnerability, I very strongly recommend you spend some time ensuring you are not vulnerable either through other libraries or your own code,” Synk’s Danny Grander wrote in a blog post that included the details of the proof-of-concept attack.

Image: Synk