CVE-2022-1271: GNU Gzip Path Traversal Vulnerability

CVE-2022-1271 Overview

An arbitrary file write vulnerability was discovered in GNU gzip's zgrep utility that allows attackers to overwrite arbitrary files on the system. When zgrep processes a maliciously crafted filename containing two or more newlines, an attacker can embed selected content and target file names within the crafted multi-line filename. This results in the ability to write attacker-controlled content to arbitrary files, potentially leading to code execution or system compromise.

Critical Impact
Remote, low-privileged attackers can force zgrep to write arbitrary files on vulnerable systems, enabling potential code execution, configuration tampering, or complete system compromise through malicious file overwrites.

Affected Products

GNU gzip (all versions prior to patch)
Red Hat JBoss Data Grid 7.0.0
Debian Linux 10.0
Tukaani XZ (xzgrep utility)

Discovery Timeline

August 31, 2022 - CVE-2022-1271 published to NVD
June 9, 2025 - Last updated in NVD database

Technical Details for CVE-2022-1271

Vulnerability Analysis

This vulnerability exists in the zgrep utility, which is used to search compressed files without first decompressing them. The flaw stems from insufficient validation when the utility processes filenames that contain embedded newline characters. When a filename contains two or more newlines, the zgrep utility fails to properly sanitize the input, allowing portions of the filename to be interpreted as content to write and target file paths.

The attack exploits a fundamental input validation weakness (CWE-20: Improper Input Validation) combined with improper handling of special character sequences (CWE-179: Incorrect Behavior Order: Early Validation). An attacker can craft a malicious filename where the content before certain newlines becomes the data to write, and the content after becomes the target file path.

This vulnerability is particularly dangerous because it requires only low privileges to exploit and can be triggered remotely in scenarios where users process attacker-supplied archive files or filenames through automated scripts using zgrep.

Root Cause

The root cause lies in insufficient input validation within the zgrep shell script when handling filenames with embedded newline characters. The utility fails to properly escape or reject filenames containing multiple newlines before passing them to underlying shell commands. This allows the crafted filename to be split and interpreted in unintended ways, with parts of the filename becoming shell command arguments that specify file write operations to arbitrary paths.

Attack Vector

The attack is network-accessible, requiring an attacker to supply a crafted filename to a system running a vulnerable version of gzip's zgrep utility. Attack scenarios include:

Archive processing: An attacker creates an archive containing files with malicious multi-line filenames. When a victim extracts and processes these files with zgrep, the arbitrary file write occurs.
Automated pipelines: Build systems, log processors, or backup utilities that automatically process compressed files using zgrep can be exploited by introducing files with crafted filenames.
User interaction: A user manually running zgrep on a file with a crafted name supplied by an attacker.

The vulnerability allows writing arbitrary content to any file writable by the user running zgrep. This can be leveraged to:

Overwrite shell configuration files (.bashrc, .profile) for code execution
Modify cron jobs or systemd service files
Tamper with application configuration files
Write to web-accessible directories for web shell deployment

Detection Methods for CVE-2022-1271

Indicators of Compromise

Presence of files with unusual multi-line filenames in processed directories
Unexpected modifications to system configuration files, shell profiles, or cron jobs
Log entries showing zgrep operations on files with newline characters embedded in filenames
Anomalous file creation or modification timestamps in critical system directories

Detection Strategies

Monitor for zgrep process executions with arguments containing newline characters or escape sequences
Implement file integrity monitoring (FIM) on critical configuration files and directories
Deploy behavioral detection rules that alert on unexpected file writes following zgrep execution
Analyze system logs for patterns indicating filename injection attempts in compression utilities

Monitoring Recommendations

Enable comprehensive auditing on file operations in sensitive directories (/etc, /home/*/.bashrc, cron directories)
Configure SentinelOne to monitor for suspicious command-line patterns involving zgrep and unusual filename characters
Implement alerting for modifications to shell initialization files and scheduled task configurations
Review archived files for suspicious filenames before processing in automated pipelines

How to Mitigate CVE-2022-1271

Immediate Actions Required

Update GNU gzip to the latest patched version immediately on all affected systems
Apply the Tukaani XZ patch for xzgrep if using XZ utilities
Review and update any scripts that invoke zgrep on untrusted filenames
Implement input validation in wrapper scripts to reject filenames containing newline characters
Temporarily disable automated zgrep processing of untrusted archives until patches are applied

Patch Information

Security patches have been released by multiple vendors to address this vulnerability. The GNU gzip mailing list contains the official bug report and patch discussion. Tukaani has released a specific patch for xzgrep addressing the same vulnerability in their implementation.

For enterprise environments, consult the following vendor advisories:

Workarounds

Avoid processing files with untrusted filenames using zgrep until patched
Implement wrapper scripts that validate filenames and reject those containing newline characters before passing to zgrep
Use alternative tools for searching compressed files that are not affected by this vulnerability
Sanitize all filenames by stripping or encoding newline characters before compression or processing

bash

# Wrapper script to sanitize filenames before zgrep processing
# Rejects filenames containing newline characters
sanitize_filename() {
    local filename="$1"
    if [[ "$filename" == *$'\n'* ]]; then
        echo "Error: Filename contains newline characters - rejected for security" >&2
        return 1
    fi
    return 0
}

# Example usage before zgrep
if sanitize_filename "$target_file"; then
    zgrep "$pattern" "$target_file"
fi

CVE-2022-1271 Overview

Critical Impact
Remote, low-privileged attackers can force zgrep to write arbitrary files on vulnerable systems, enabling potential code execution, configuration tampering, or complete system compromise through malicious file overwrites.

Affected Products

GNU gzip (all versions prior to patch)
Red Hat JBoss Data Grid 7.0.0
Debian Linux 10.0
Tukaani XZ (xzgrep utility)

Discovery Timeline

August 31, 2022 - CVE-2022-1271 published to NVD
June 9, 2025 - Last updated in NVD database

Technical Details for CVE-2022-1271

Vulnerability Analysis

Root Cause

Attack Vector

The attack is network-accessible, requiring an attacker to supply a crafted filename to a system running a vulnerable version of gzip's zgrep utility. Attack scenarios include:

Archive processing: An attacker creates an archive containing files with malicious multi-line filenames. When a victim extracts and processes these files with zgrep, the arbitrary file write occurs.
Automated pipelines: Build systems, log processors, or backup utilities that automatically process compressed files using zgrep can be exploited by introducing files with crafted filenames.
User interaction: A user manually running zgrep on a file with a crafted name supplied by an attacker.

The vulnerability allows writing arbitrary content to any file writable by the user running zgrep. This can be leveraged to:

Overwrite shell configuration files (.bashrc, .profile) for code execution
Modify cron jobs or systemd service files
Tamper with application configuration files
Write to web-accessible directories for web shell deployment

Detection Methods for CVE-2022-1271

Indicators of Compromise

Presence of files with unusual multi-line filenames in processed directories
Unexpected modifications to system configuration files, shell profiles, or cron jobs
Log entries showing zgrep operations on files with newline characters embedded in filenames
Anomalous file creation or modification timestamps in critical system directories

Detection Strategies

Monitor for zgrep process executions with arguments containing newline characters or escape sequences
Implement file integrity monitoring (FIM) on critical configuration files and directories
Deploy behavioral detection rules that alert on unexpected file writes following zgrep execution
Analyze system logs for patterns indicating filename injection attempts in compression utilities

Monitoring Recommendations

Enable comprehensive auditing on file operations in sensitive directories (/etc, /home/*/.bashrc, cron directories)
Configure SentinelOne to monitor for suspicious command-line patterns involving zgrep and unusual filename characters
Implement alerting for modifications to shell initialization files and scheduled task configurations
Review archived files for suspicious filenames before processing in automated pipelines

How to Mitigate CVE-2022-1271

Immediate Actions Required

Update GNU gzip to the latest patched version immediately on all affected systems
Apply the Tukaani XZ patch for xzgrep if using XZ utilities
Review and update any scripts that invoke zgrep on untrusted filenames
Implement input validation in wrapper scripts to reject filenames containing newline characters
Temporarily disable automated zgrep processing of untrusted archives until patches are applied

Patch Information

For enterprise environments, consult the following vendor advisories:

Workarounds

Avoid processing files with untrusted filenames using zgrep until patched
Implement wrapper scripts that validate filenames and reject those containing newline characters before passing to zgrep
Use alternative tools for searching compressed files that are not affected by this vulnerability
Sanitize all filenames by stripping or encoding newline characters before compression or processing

bash

# Wrapper script to sanitize filenames before zgrep processing
# Rejects filenames containing newline characters
sanitize_filename() {
    local filename="$1"
    if [[ "$filename" == *$'\n'* ]]; then
        echo "Error: Filename contains newline characters - rejected for security" >&2
        return 1
    fi
    return 0
}

# Example usage before zgrep
if sanitize_filename "$target_file"; then
    zgrep "$pattern" "$target_file"
fi

CVE-2022-1271: GNU Gzip Path Traversal Vulnerability

CVE-2022-1271 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-1271

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-1271

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-1271

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-1271: GNU Gzip Path Traversal Vulnerability

CVE-2022-1271 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-1271

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-1271

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-1271

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform