Zip Bomb
Zip Bomb Definition
A zip bomb (also called a decompression bomb) is a malicious compressed archive designed to overwhelm a system when unpacked. It expands to an enormous size or consumes excessive CPU and RAM, aiming to stall or crash antivirus scanners, email gateways, or endpoints that attempt to open or scan it. Zip bombs are typically used to create a denial-of-service (DoS) window for other threats or simply to cause disruption.
How a Zip Bomb Works
A zip bomb abuses the way security tools and email systems decompress attachments and archives to check for threats. A zip bomb is crafted so that this ordinary step consumes excessive resources, either by exploding into an extremely large file or forcing the unzipper to do excessive parsing and memory allocation. As a result, the scanner or system slows down, times out, or crashes.
Classic zip bombs use deep nesting (zip-inside-zip) and highly repetitive data that compresses efficiently. A tiny attachment can expand into gigabytes or terabytes during recursive extraction. Non-recursive zip bombs achieve the same effect in a single pass, as they contain overlapping zip entries that all reference the same compressed kernel.
What Is the Largest Zip Bomb?
The best known example is “42.zip,” a tiny 42 KB archive that expands to about 4.5 petabytes (around 4,500,000 GB) when fully and recursively extracted. It’s widely studied and documented, and most modern tools now flag and block it automatically.
In 2019, researchers demonstrated a non-recursive ZIP bomb with a compression ratio of over 28 million to 1, a 10 MB file inflating to 281 TB. A ZIP64 variant of that file can inflate tens of megabytes into several petabytes.
How to Avoid Damage from Zip Bombs
- Watch out for tiny archives (KBs/low MBs) that report a large uncompressed size.
- Look out for warning signs, like CPU spikes, long stalls, or diminishing disk space during extraction.
- Disable auto-extraction for email clients and file managers.
- Inspect files before extracting by checking archive properties.
- Keep unarchivers, antivirus, and mail gateways patched.
- Enforce limits on scanners and gateways, like capping recursion depth and total uncompressed size or adding CPU/time ceilings for archive scanning.
- Open suspicious archives in a virtual machine with limited disk space.
- Hold or strip archives from unknown senders.
- Block files with double extensions or excessive nesting.
Read More
FAQ
No, a zip bomb isn’t a virus, but it’s a malicious archive designed to trigger extreme resource use during extraction. While it may not carry executable malware, it can still disrupt scanners or systems by exhausting memory, CPU, or disk space. That’s why many vendors also call it a decompression bomb or archive bomb.
It’s crucial not to double-click a suspicious zip file. View properties first and pay attention to the compressed vs uncompressed size. Next, scan it with up-to-date security software. If you must look inside, use a sandbox or virtual machine with limited disk space. That way, even if the file expands into terabytes of data, your primary system will be protected.
Yes, 7z/rar/gzip bombs are possible as well. “Zip bomb” is a popular name, but the concept doesn’t focus on a specific archive format. Any archive file format that permits extreme expansion or heavy parsing can be abused similarly, and that includes 7z, RAR, and GZIP. The mitigation principles, like limits on recursion/expansion and careful inspection, are the same as well.
45-Day Money-Back Guarantee