Summary
- Compression in zip archives minimizes data repetition by pointing back to original content.
- Zip bombs exploit compression, using recursion to create massive, system-crashing files.
- Detection and prevention of zip bombs require external strategies, like limiting extraction depth and size.
You might open it by accident. But the moment it starts to unzip, your computer’s file system crashes. Except there’s no malware in the zip archive, only math.
How Compression Works
When you compress a file into a ZIP archive, your computer looks for patterns in the 1s and 0s. Repeated parts are stored once. Then, instead of writing the same thing again and again, the archive just points back to the original version. It is brutally efficient. That is why text files tend to shrink so well. A few repeated strings can reduce megabytes to kilobytes.
A zip bomb takes that logic and turns it against the computer.
Instead of a few repeated blocks, it includes one block repeated millions of times. Again, the data itself is never copied, but the zip bomb points to it over and over again. Then it wraps that inside another archive. Then again. Then again.
By the time you reach the outer layer, it looks harmless. The file is tiny. It transfers fast. There is nothing unusual about it. But once it starts unpacking, the references unfold. Each one opens into the next. The result is not a typical unarchiving of the zip because it becomes an avalanche.
The Famous One
The best-known zip bomb is called “forty-two dot zip.” It is just forty-two kilobytes on disk. Inside, it contains sixteen archive files. Each of those contains sixteen more. All of them point to the same chunk of filler data. In programming terms, this is called recursion. Think of mathematical recursion like a hall of mirrors. One file opens another. That file opens the same file again. Each layer follows the last. Nothing new is added. The structure just keeps calling itself, again and again, until the system runs out of space to keep track.
If you manage to unzip it completely, which most systems cannot do, the contents expand into about four and a half million gigabytes. The 42.zip archive was never meant to infect anything. Its entire purpose is to crash the tools that try to open it.
Why They Still Exist
Zip bombs are still in use today, mostly in technical or research settings. Some are used by security testers to push system boundaries. Some appear in academic work to explore edge cases in compression. Some are sent during actual cyberattacks, not as the attack itself, but as a distraction.
Modern zip bombs use newer tricks. Some combine archive formats. Others include password-protected layers that confuse basic scanners. A few are broken across multiple emails, only dangerous when reassembled.
One such archive, built in 2023, was ten megabytes on disk. When fully extracted, it produced more than five million gigabytes of filler.
Even right now, you can make one yourself. Write a script that archives files. Zip a file. Then zip the zip. Then zip that. Repeat it 100 times. The outer file still looks small. It still sends fast over email. But each layer deepens the load.
Can You Detect One?
The only protection is strategy. There’s no fix in the file itself. The archive is just innocuous bits. The protection has to come from the outside.
Some systems stop unzipping after a few layers. Others refuse to extract more than a specific amount of data. A few tools look for repeated references to the same block of memory.
Antivirus tools have caught on too. They set limits: how deep they’ll scan, how big they’ll unpack. But not every system is protected. Sometimes, it’s a curious user. Sometimes, it’s automated. Anything that tries to unzip it fully becomes the victim. And this works in WSL or in Docker. The method is agnostic about operating systems.
If you’re writing automation, limit decompression size. If you’re scanning uploads, cap the depth. If you’re receiving files from strangers, don’t trust file size or type alone.
Legal? Technically
Zip bombs are opened inside virtual machines, with kill switches and memory caps. The test is always isolated. The file never runs on a live system.
A zip bomb is not a piece code. It is not a script or an executable, so it’s not an exploit in the usual sense. It’s a quirk of the way modern computers work that a simple zip file without any executables can do real damage.
There is no law against sending someone a zip file without a virus payload. But that does not mean it’s legal. A zip bomb sent to crash a coworker’s computer is not a prank. It is a kind of sabotage. Courts tend to focus on the outcome, not the file type.
The real danger of a zip bomb is that it asks the system to work harder than it was meant to by overloading its file system. And most systems say yes. That’s the trick and the trap.