CVE-2018-1002201

MEDIUM

zt-zip < 1.13 - Path Traversal via Zip Archive Entry Extraction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-1002201. PoCs published by dawetmaster, andikahilmy, shoucheng3.

AI-analyzed exploit summary This repository contains the source code of the vulnerable ZeroTurnaround ZT-ZIP library (version 1.11) affected by CVE-2018-1002201, along with documentation and examples. It does not include an exploit PoC but provides technical context for the vulnerability.

Description

zt-zip before 1.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Exploits (3)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-1002201-zt-zip-vulnerable

This repository contains the source code of the vulnerable ZeroTurnaround ZT-ZIP library (version 1.11) affected by CVE-2018-1002201, along with documentation and examples. It does not include an exploit PoC but provides technical context for the vulnerability.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: ZeroTurnaround ZT-ZIP < 1.12
No auth needed
Prerequisites: Vulnerable ZT-ZIP library in use
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-1002201-zt-zip-vulnerable

This repository contains the source code of the vulnerable zt-zip library (version 1.11) affected by CVE-2018-1002201, along with documentation and examples. It does not include an exploit PoC but provides detailed usage examples and background on the library's functionality.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: zt-zip library version 1.11
No auth needed
Prerequisites: Access to a system using the vulnerable zt-zip library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/zeroturnaround__zt-zip_CVE-2018-1002201_1-12

This repository contains documentation and examples for the zt-zip library, which is vulnerable to CVE-2018-1002201. The README provides usage examples but does not include exploit code or a proof-of-concept for the vulnerability.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: zt-zip library versions prior to 1.12
No auth needed
Prerequisites: Access to a system using the vulnerable zt-zip library
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/research/zip-slip-vulnerability
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGZEROTURNAROUND-31681

Scores

CVSS v3 5.5
EPSS 0.0146
EPSS Percentile 81.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (2)
jrebel/zt-zip < 1.13
org.zeroturnaround/zt-zip 0 - 1.13Maven
Published Jul 25, 2018
Tracked Since Feb 18, 2026