CVE-2018-1002202

MEDIUM

zip4j < 1.3.3 - Path Traversal via Zip Archive Entry Extraction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-1002202. PoCs published by shoucheng3, iris-sast.

AI-analyzed exploit summary This repository contains decompiled source code for the zip4j library versions 1.3.2 (vulnerable) and 1.3.3 (fixed) for CVE-2018-1002202, which is a path traversal vulnerability. The code provided is a snapshot of the vulnerable and patched versions for analysis purposes.

Description

zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Exploits (2)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/srikanth-lingala__zip4j_CVE-2018-1002202_1-3-2

This repository contains decompiled source code for the zip4j library versions 1.3.2 (vulnerable) and 1.3.3 (fixed) for CVE-2018-1002202, which is a path traversal vulnerability. The code provided is a snapshot of the vulnerable and patched versions for analysis purposes.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: zip4j library versions 1.3.2
No auth needed
Prerequisites: Access to the vulnerable zip4j library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by iris-sast · poc
https://github.com/iris-sast/zip4j

This repository contains decompiled source code for zip4j library versions 1.3.2 (vulnerable) and 1.3.3 (fixed) for CVE-2018-1002202, which is a path traversal vulnerability. It does not include an exploit PoC but provides source code for analysis.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: zip4j 1.3.2
No auth needed
Prerequisites: Access to the vulnerable zip4j library
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/research/zip-slip-vulnerability
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-NETLINGALAZIP4J-31679

Scores

CVSS v3 6.5
EPSS 0.0372
EPSS Percentile 88.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (2)
net.lingala.zip4j/zip4j 0 - 1.3.3Maven
zip4j_project/zip4j < 1.3.3
Published Jul 25, 2018
Tracked Since Feb 18, 2026