CVE-2024-48510: DotNetZip Path Traversal Vulnerability

CVE-2024-48510 Overview

A critical Directory Traversal vulnerability exists in DotNetZip v.1.16.0 and earlier versions that allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component. This vulnerability enables attackers to write files outside the intended extraction directory by crafting malicious ZIP archives containing path traversal sequences. It is important to note that this vulnerability only affects products that are no longer supported by the maintainer.

Critical Impact

Remote attackers can achieve arbitrary code execution by exploiting the directory traversal flaw during ZIP extraction, potentially leading to complete system compromise.

Affected Products

• Mihula Prodotnetzip (all versions up to and including v1.16.0)
• DotNetZip.Semverd Project (all versions up to and including v1.16.0)
• Applications using the DotNetZip NuGet package

Discovery Timeline

• 2024-11-13 - CVE-2024-48510 published to NVD
• 2025-05-02 - Last updated in NVD database

Technical Details for CVE-2024-48510

Vulnerability Analysis

This directory traversal vulnerability (CWE-22) occurs in the ZipEntry.Extract.cs component of the DotNetZip library. When a ZIP archive is extracted, the library fails to properly sanitize file paths contained within the archive. An attacker can craft a malicious ZIP file containing entries with relative path sequences such as ../ that, when extracted, write files outside the intended destination directory.

The vulnerability is particularly severe because it can be exploited remotely without authentication and requires no user interaction beyond triggering an extraction operation. Since DotNetZip is a widely-used .NET library for handling ZIP archives, applications that process untrusted ZIP files are at significant risk.

Root Cause

The root cause lies in the insufficient validation of file paths during the extraction process in the ZipEntry.Extract.cs component. The code located at lines 1365-1410 in the extraction logic does not adequately check for path traversal sequences before writing extracted files to the filesystem. This allows specially crafted archive entries to escape the extraction directory and write files to arbitrary locations on the system.

Attack Vector

The attack vector is network-based, requiring an attacker to deliver a malicious ZIP archive to a target system. This can be accomplished through various means including:

The vulnerability is triggered when an application using DotNetZip extracts a ZIP archive containing entries with path traversal sequences (e.g., ../../etc/cron.d/malicious). The extraction process follows the malicious path and writes files outside the intended directory, potentially overwriting critical system files or placing executable content in locations where it will be automatically executed.

Since the vulnerability requires no privileges or user interaction to exploit, attackers can chain this with other attack vectors to achieve arbitrary code execution. For example, an attacker might overwrite application configuration files, web shell deployment, or scheduled task definitions.

Detection Methods for CVE-2024-48510

Indicators of Compromise

• Unexpected files appearing outside designated extraction directories
• Files with suspicious paths containing ../ sequences in application logs
• Unauthorized modifications to system configuration files or executables
• Presence of the vulnerable DotNetZip library versions (v1.16.0 or earlier) in application dependencies

Detection Strategies

• Monitor file system activity for writes to sensitive directories during ZIP extraction operations
• Implement application-level logging to capture all extracted file paths and flag those containing path traversal sequences
• Use dependency scanning tools to identify applications using vulnerable versions of DotNetZip or DotNetZip.Semverd
• Deploy endpoint detection rules to identify ZIP files containing entries with ../ path sequences

Monitoring Recommendations

• Enable detailed file system auditing on critical directories to detect unauthorized writes
• Monitor network traffic for delivery of ZIP files to applications known to use DotNetZip
• Implement behavioral analysis to detect unusual file creation patterns following archive extraction
• Review application logs for extraction operations involving untrusted ZIP files

How to Mitigate CVE-2024-48510

Immediate Actions Required

• Audit all applications to identify usage of DotNetZip or DotNetZip.Semverd libraries
• Implement input validation to sanitize file paths before extraction, rejecting entries containing path traversal sequences
• Restrict file system permissions for processes that handle ZIP extraction to limit the impact of potential exploitation
• Consider migrating to actively maintained ZIP handling libraries with proper path sanitization

Patch Information

As noted in the CVE description, this vulnerability only affects products that are no longer supported by the maintainer. No official patch is available from the original maintainers. Organizations should consider the following alternatives:

For detailed technical information about the vulnerable code, refer to the GitHub DotNetZip Code Snippet. Additional context is available in the security advisory on GitHub Gist.

Workarounds

• Implement application-level path validation before extraction that rejects any archive entries containing .. sequences
• Use a sandboxed extraction directory with restricted permissions and verify all extracted paths remain within the intended boundary
• Replace DotNetZip with alternative .NET ZIP libraries such as System.IO.Compression which includes built-in path traversal protections
• Apply the principle of least privilege to services handling ZIP extraction to minimize potential impact

# Example: Check for vulnerable DotNetZip versions in .NET projects
dotnet list package --vulnerable --include-transitive | grep -i dotnetzip
# Review and update packages.config or .csproj files to remove DotNetZip dependencies