My ZIP isn't your ZIP: Identifying and Exploiting Semantic Gaps Between ZIP Parsers
Yufan You
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · Software Security 1
In this compelling talk from USENIX Security, Yufan You presented groundbreaking research on **semantic gaps** in **ZIP file format** parsing, revealing a widespread and critical vulnerability across numerous applications and systems. The core premise is deceptively simple yet profoundly impactful: the same ZIP archive can be interpreted differently by various parsing tools, leading to disparate content being extracted or displayed depending on the software used. This discrepancy, termed a semantic gap, is not a rare anomaly but, as the research demonstrates, a pervasive norm within the ZIP ecosystem.
AI review
Systematic, first-of-its-kind study that exposes ZIP parser inconsistency as a near-universal condition rather than a collection of isolated bugs. The differential fuzzing methodology is rigorous, the 14-class taxonomy of ambiguities is a genuine contribution, and the five exploitation chains — spanning email gateways, digital signature forgery, and a full supply chain takeover of the VS Code marketplace — are the kind of demos that make vendors quietly pull engineers into side rooms. This is the rare academic paper that also ships real bug bounties and CVEs.