Description

Using the ADD command to automatically extract files to the destination directory adds the risk of exploiting vulnerabilities such as zip bombs and Zip Slip that could then be activated automatically.

Impact

Expose the system to zip-based vulnerabilities

Recommendation

Avoid the use of the ADD command unless you need extract a local tar file. Instead, use the COPY command

Threat

Authenticated local attacker with access to the container

Expected Remediation Time

⏱️ 20 minutes.

Requirements

Fixes