zipbomb.me
what is a zip bomb?
A zipbomb is a type of denial-of-service attack that takes advantage of the compression ratio of a compression algorithm to create a payload that expands to a large size when uncompressed. This effect may impact the performance of software processing the file (consuming CPU cycles, exhausing memory, consuming storage space, etc.).
make your own zipbombs
Zipbombs can be trivially produced by sending a stream of uniform bytes through a compression algorithm. For example, passing 1GB of '\x00' to gzip (with the -9 flag to select the best compression ratio):
dd if=/dev/zero bs=1GiB count=1 | gzip -9 > 1gib.gz
You can check the size of the output:
# Show human-readable size of the compressed file du -bh 1gib.gz # Show uncompressed data size gzip -d -k 1gb.gz -c | wc -c | numfmt --to iec
compression ratios
A zipbomb author might choose to maximize the ratio between payload size in compressed vs. uncompressed format to allow sending the payload over size-limited or bandwidth-constrained channels. As an example, a 1GB payload might be gziped to only 948KB, which yields a 1055x expansion factor.
Not all compression algorithms are created equal. Some algorithms are optimized for images, videos, or other media and better compression ratios might be achieved by mimicking the structure they are optimized for.
available payloads
gzip bombs
| Name | Compressed Size | Safe Download | 💣 gzip | 💣 text |
| 1GiB | 1018KiB | 1gib.gz | 1gib.gz | 1gib.gz |
| 10GiB | 10MiB | 10gib.gz | 10gib.gz | 10gib.gz |
| 100GiB | 100MiB | 100gib.gz | 100gib.gz | 100gib.gz |
Note: Firefox appears to ignore this header for gzip payloads and saves the payload compressed. Use the text link if you want to force Firefox to decompress gzip files.
brotli bombs
| Name | Compressed Size | Safe Download | 💣 br | 💣 text |
| 1GiB | 809B | 1gib.br | 1gib.br | 1gib.br |
| 1GiB | 7.9KiB | 1gib.br | 1gib.br | 1gib.br |
| 100GiB | 79KiB | 1gib.br | 1gib.br | 1gib.br |
downloading payloads
The tables above provide three different download options.
- safe download:
- Downloads the compressed version of the zipbomb without any headers instructing your browser to uncompress the file. This is expected to be safe for most clients.
- 💣 compressed:
- Downloads the file with the Content-Encoding header set, instructing your browser or HTTP client to uncompress the payload.
- 💣 text:
- Sends a response with Content-Encoding set and Content-Type set to text/plain. This should trigger your browser to decompress and display the payload to you.
It is also possible to use curl to download the payloads. Curl will only uncompress the payload if the --compressed flag is passed.
# Download in compressed form: curl https://zipbomb.me/gz/1gib.gz -o 1gib.gz # Uncompress the files before saving: curl --compressed https://zipbomb.me/gz/1gib.gz -o 1gib
zipbomb.me © 2019-2025 by Austin Hartzheim is licensed under CC BY-NC-SA 4.0