Zip bomb

A zip bomb (also known as a decompression bomb or zip of death) is a type of denial-of-service (DoS) attack disguised as a seemingly small, legitimate archive file (e.g., ZIP, RAR, 7z). Upon attempted decompression, the file's highly compressed, often nested or recursively structured content rapidly expands into an impossibly large volume of data — potentially terabytes or even petabytes. This exponential growth overwhelms the target system's storage, memory, CPU, or network resources, leading to system crashes, hangs, or severe performance degradation, effectively rendering the system inoperable.

Zip bombs exploit the inherent trust that users and automated systems place in file compression and decompression utilities, making them a particularly deceptive threat vector.

What is a zip bomb?

A zip bomb is a malicious archive file specifically engineered to contain data that achieves extraordinarily high compression ratios. While the compressed file may appear to be only a few kilobytes in size, the data it contains — once fully decompressed — can expand to millions or billions of times its original size. The attack relies on the mathematical properties of compression algorithms, which are extremely efficient at compressing repetitive data patterns (such as long sequences of zeros).

One of the most well-known examples is 42.zip, a file that is only 42 KB when compressed but expands to approximately 4.5 petabytes (PB) of data. It achieves this through 5 layers of nested zip files, each containing 16 zip files, which ultimately decompress into 16 files of 4.3 GB each at the deepest level.

Why are zip bombs dangerous?

Zip bombs pose a serious threat for several reasons:

• System resource exhaustion: When a zip bomb is unpacked, the decompressed data can quickly consume all available disk space, RAM, and CPU cycles, causing the target system to crash or become completely unresponsive.
• Antivirus evasion: Many antivirus programs scan archive contents by decompressing them. A zip bomb can cause these scanners to hang, crash, or consume excessive resources, effectively disabling the security software and leaving the system vulnerable to other attacks.
• Automated system disruption: Mail servers, file upload services, and content management systems that automatically scan or unpack attachments are particularly vulnerable. Malicious actors have used zip bombs embedded in email attachments to overload mail servers, leading to widespread service disruption.
• Stealth and simplicity: Because the file appears small and innocuous, it can easily bypass initial file-size filters and social engineering defenses, as noted by cybersecurity researchers at organizations like CrowdStrike and Kaspersky.

How does a zip bomb work?

Zip bombs work by exploiting the fundamental mechanics of data compression algorithms. There are two primary techniques:

• Recursive (nested) zip bombs: These contain multiple layers of archives nested within one another. Each layer, when decompressed, reveals another set of compressed archives, creating an exponential expansion effect. The classic 42.zip is a prime example of this approach.
• Non-recursive (flat) zip bombs: More modern variants achieve massive decompression ratios within a single archive layer by overlapping file references within the zip structure itself, making them harder to detect through simple nesting checks.

In both cases, the compressed data typically consists of highly repetitive patterns (e.g., long strings of identical bytes) that compress to an extremely small size but expand dramatically upon decompression.

When were zip bombs first discovered?

Zip bombs have been known in the cybersecurity community since at least the early 2000s. The iconic 42.zip file became widely discussed around 2001–2002 and quickly became a benchmark example of the technique. However, the underlying concept — exploiting compression ratios for malicious purposes — predates specific zip bomb files and was discussed in academic papers on compression attacks and algorithmic vulnerabilities. Over the years, security researchers at organizations such as the SANS Institute have published analyses of evolving zip bomb techniques, including non-recursive variants that emerged in 2019.

Which tools detect zip bombs?

Several categories of tools and techniques are used to detect and mitigate zip bombs:

• Antivirus software: Leading antivirus vendors including Sophos, ESET, and Norton have implemented safeguards such as decompression depth limits, output size thresholds, and compression ratio analysis to identify and quarantine suspected zip bombs.
• Email security gateways: Enterprise email solutions often include attachment scanning that checks for excessive compression ratios or deeply nested archive structures before allowing delivery.
• Custom scripts and libraries: Security teams frequently use programming libraries (e.g., Python's zipfile module) to pre-analyze archive metadata — checking reported uncompressed sizes, nesting depth, and compression ratios — without fully decompressing the file.
• Web application firewalls (WAFs): Some WAFs and file upload validators include rules that reject archives exceeding predefined decompression thresholds.

Best practices include setting strict limits on maximum decompression size, nesting depth, and resource allocation for any automated process that handles compressed files.