CVE-2023-39135 – CVE-2023-39135 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-39135?

CVE-2023-39135 has a CVSS score of 7.8 (HIGH). CVE-2023-39135 is a path traversal vulnerability in Zip Swift library v2.1.2 that allows attackers to write files outside the intended extraction directory via specially crafted zip entries. This affects applications using the vulnerable Zip Swift library for zip file processing. Attackers can potentially overwrite critical system files or deploy malicious code.

📋 TL;DR

CVE-2023-39135 is a path traversal vulnerability in Zip Swift library v2.1.2 that allows attackers to write files outside the intended extraction directory via specially crafted zip entries. This affects applications using the vulnerable Zip Swift library for zip file processing. Attackers can potentially overwrite critical system files or deploy malicious code.

💻 Affected Systems

Products:

Zip Swift library

Versions: v2.1.2 specifically

Operating Systems: All platforms where Zip Swift is used (iOS, macOS, Linux, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Zip Swift v2.1.2 for zip extraction without additional path validation is vulnerable.

📦 What is this software?

Zip by Marmelroy

View all CVEs affecting Zip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment by overwriting system binaries or configuration files.

🟠

Likely Case

File system corruption, denial of service, or privilege escalation by overwriting application files or configuration.

🟢

If Mitigated

Limited to extraction directory if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: HIGH - Applications accepting zip uploads from untrusted sources are directly exploitable.

🏢 Internal Only: MEDIUM - Requires user interaction or malicious internal actor to supply crafted zip files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - create a zip file with directory traversal sequences in filenames. Public proof-of-concept exists in the referenced advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.1.3 and later

Vendor Advisory: https://github.com/marmelroy/Zip/issues/245

Restart Required: No

Instructions:

1. Update Zip Swift dependency to v2.1.3 or later. 2. Update Podfile or Package.swift to specify 'Zip' ~> 2.1.3. 3. Run dependency update command (pod update Zip). 4. Rebuild and redeploy application.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement custom extraction logic that validates all extracted paths are within target directory

// Swift code example: validate extractedPath.standardizedFileURL.path.hasPrefix(targetDirectory.standardizedFileURL.path)

Sandbox extraction

all

Extract zip files in isolated container/sandbox with restricted filesystem access

🧯 If You Can't Patch

Disable zip file upload/processing functionality entirely
Implement strict file type validation and reject zip files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check if your project uses Zip Swift v2.1.2 via dependency manager (pod list, Package.resolved, or check Podfile.lock for 'Zip (2.1.2)')

Check Version:

grep -r 'Zip' Podfile.lock | grep '2.1.2' or check Package.swift dependencies

Verify Fix Applied:

Confirm Zip Swift version is 2.1.3 or higher in dependency files and test extraction with malicious zip samples

📡 Detection & Monitoring

Log Indicators:

File extraction errors, permission denied errors for system paths, unexpected file writes outside extraction directory

Network Indicators:

Unusual zip file uploads, multiple failed extraction attempts

SIEM Query:

source="app_logs" AND ("extraction failed" OR "permission denied") AND "zip"

📊 Metadata

CVE ID: CVE-2023-39135

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: August 30, 2023

Last Updated: November 21, 2024

🔗 References

https://blog.ostorlab.co/zip-packages-exploitation.html Exploit,Third Party Advisory
https://github.com/marmelroy/Zip/issues/245 Exploit,Issue Tracking,Vendor Advisory
https://ostorlab.co/vulndb/advisory/OVE-2023-1 Exploit,Third Party Advisory
https://security.snyk.io/research/zip-slip-vulnerability Third Party Advisory
https://blog.ostorlab.co/zip-packages-exploitation.html Exploit,Third Party Advisory
https://github.com/marmelroy/Zip/issues/245 Exploit,Issue Tracking,Vendor Advisory
https://ostorlab.co/vulndb/advisory/OVE-2023-1 Exploit,Third Party Advisory
https://security.snyk.io/research/zip-slip-vulnerability Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39135, you might also want to check these: