CVE-2024-48510 – This CVE describes a directory traversal vulner... (How to Fix)

Q: What is the severity of CVE-2024-48510?

CVE-2024-48510 has a CVSS score of 9.8 (CRITICAL). This CVE describes a directory traversal vulnerability in DotNetZip v1.16.0 and earlier that allows remote attackers to write arbitrary files outside the intended extraction directory. Attackers can exploit this to achieve remote code execution by writing malicious files to sensitive locations. Only products using unsupported versions of DotNetZip are affected.

📋 TL;DR

This CVE describes a directory traversal vulnerability in DotNetZip v1.16.0 and earlier that allows remote attackers to write arbitrary files outside the intended extraction directory. Attackers can exploit this to achieve remote code execution by writing malicious files to sensitive locations. Only products using unsupported versions of DotNetZip are affected.

💻 Affected Systems

Products:

DotNetZip

Versions: v1.16.0 and earlier

Operating Systems: Windows, Linux, macOS - any OS running .NET applications using DotNetZip

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the vulnerable Extract methods. The library is no longer maintained by the original author.

📦 What is this software?

Dotnetzip.semverd by Dotnetzip.semverd Project

View all CVEs affecting Dotnetzip.semverd →

Prodotnetzip by Mihula

View all CVEs affecting Prodotnetzip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data exfiltration, and lateral movement.

🟠

Likely Case

Arbitrary file write leading to web shell deployment, data manipulation, or privilege escalation.

🟢

If Mitigated

File write limited to intended directory with proper input validation and file permission restrictions.

🌐 Internet-Facing: HIGH - Web applications processing user-uploaded ZIP files are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal applications processing ZIP files could be exploited via phishing or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the Extract.cs component where path validation is insufficient. Attackers can craft ZIP archives with directory traversal sequences (../) in filenames.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

1. Migrate to a maintained alternative like System.IO.Compression.ZipArchive (built into .NET) or SharpZipLib. 2. Remove DotNetZip from your projects. 3. Update all dependencies to use secure alternatives.

🔧 Temporary Workarounds

Implement custom extraction validation

all

Add path validation before extraction to ensure files stay within intended directory

Implement code to validate extracted paths against allowed directory using Path.GetFullPath() and checking for directory traversal sequences

Use alternative ZIP library

all

Replace DotNetZip with System.IO.Compression.ZipArchive or other maintained libraries

Install-Package System.IO.Compression.ZipFile
Remove-Package DotNetZip

🧯 If You Can't Patch

Implement strict input validation on ZIP file uploads and reject files with suspicious path patterns
Run applications using DotNetZip with minimal privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check project dependencies for DotNetZip version 1.16.0 or earlier. Review code for usage of ZipEntry.Extract methods.

Check Version:

Check .csproj or packages.config for <PackageReference Include="DotNetZip" Version="..." />

Verify Fix Applied:

Verify DotNetZip is removed from dependencies and replaced with secure alternatives. Test extraction with malicious ZIP files containing traversal sequences.

📡 Detection & Monitoring

Log Indicators:

Failed file write attempts outside expected directories
Unusual process creation from ZIP extraction processes
Multiple ../ sequences in file paths in application logs

Network Indicators:

Large ZIP file uploads followed by suspicious outbound connections
Unusual file writes to system directories

SIEM Query:

source="application_logs" AND ("../" OR "..\\" OR "%2e%2e%2f") AND "extract" AND "zip"

📊 Metadata

CVE ID: CVE-2024-48510

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: November 13, 2024

Last Updated: May 2, 2025

🔗 References

https://gist.github.com/thomas-chauchefoin-bentley-systems/855218959116f870f08857cce2aec731 Patch,Third Party Advisory
https://github.com/haf/DotNetZip.Semverd Product
https://github.com/haf/DotNetZip.Semverd/blob/e487179b33a9a0f2631eed5fb04d2c952ea5377a/src/Zip.Shared/ZipEntry.Extract.cs#L1365-L1410 Product
https://www.nuget.org/packages/DotNetZip/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48510, you might also want to check these: